Menu

Search for hundreds of thousands of exploits

"NPDS CMS REvolution-13 - SQL Injection"

Author

Exploit author

"Narendra Bhati"

Platform

Exploit platform

php

Release date

Exploit published date

2015-01-24

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Title -  NPDS CMS Revolution-13 - SQL Injection Vulnerability

Credits & Author: 
Narendra Bhati  (  R00t Sh3ll ) 
www.websecgeeks.com

References (Source):
====================
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/

Release Date:
=============
24-01-2015


CVE ID :
====================================
CVE-2015-1400



Product & Service Introduction:
===============================
http://www.npds.org/

Abstract Advisory Information:
==============================
Narendra Bhati ( R00t Sh3ll ) An Information Security Analyst In Pune ( India ) discovered a remote sql injection  vulnerability in the NPDS CMS .


Vulnerability Disclosure Timeline:
==================================
25-01-2015 :  Public Disclosure


Timeline Status:
=================
Reported To Vendor  14-12-2014 
Verified By Vendor 15-12-2014
Acknowledge By Vendor 14-01-2015
Public Disclosure By Vendor 24-01-2015
Technical Disclosure  25-01-2015
Vendor Security Advisory  http://www.npds.org/viewtopic.php?topic=26233&forum=12 
Technical Disclosure - http://websecgeeks.com/npds-cms-sql-injection/
CVE-2015-1400
Mitigation For This Vulnerability  There Is No Update By Vendor , But That Will Be Out Soon !

Affected Product(s):
====================
NPDS-Revolution-13

Exploitation Technique:
=======================
Remote

Severity Level:
===============
High


Technical Details & Description:
================================
A sql injection web vulnerability has been discovered in the NPDS CMS - NPDS-Revolution-13.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.

The sql injection vulnerability is located in the `query` parameter of the vulnerable `search.php ` application file. Remote attackers 
are able to inject own sql commands by usage of vulnerable `search.php ` file. A successful attack requires to 
manipulate a POST method request with vulnerable parameter `query` value to inject own sql commands. The injection is a time based ( tested ) by sql injection 
that allows to compromise the web-application and connected dbms.

Request Method(s):
        [+] POST

Vulnerable Module(s):
        [+] NPDS-Revolution-13

Vulnerable File(s):
        [+] search.php

Vulnerable Parameter(s):
        [+] query


Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account.
For reproduce the security vulnerability follow the provided information and steps below to continue.

HTTP Request

##### ==========
POST /npds/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/npds/index.php?op=edito
Cookie: cookievalue
Connection: keep-alive
content-type:! application/x-www-form-urlencoded
Content-Length: 63

query=")and benchmark(20000000,sha1(1))-

====================================
Reference(s):
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerability `query` parameter value in the search.php file.
Use a prepared statement to fix the issues fully and setup own exception that prevents sql injection attacks.


Security Risk:
==============
The security risk of the remote sql injection web vulnerability as critical


Credits & Author:
==================
Narendra Bhati  (  R00t Sh3ll )
www.websecgeeks.com
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2016-05-16 "Web2py 2.14.5 - Multiple Vulnerabilities" webapps python "Narendra Bhati"
2015-08-28 "Wolf CMS - Arbitrary File Upload / Execution" webapps php "Narendra Bhati"
2015-01-24 "NPDS CMS REvolution-13 - SQL Injection" webapps php "Narendra Bhati"
2014-11-05 "MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting" webapps php "Narendra Bhati" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected