CVE-2019-13292 PoC — webERP SQL注入漏洞

Source

https://github.com/gustanini/CVE-2019-13292-WebERP_4.15

Associated Vulnerability

Title:webERP SQL注入漏洞 (CVE-2019-13292)
Description:webERP是一套开源的进销存与财务管理系统（ERP系统）。该系统支持库存管理、权限角色管理、订单管理和财务管理等。 webERP 4.15版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。

Description

This is a Python3 script that demonstrates an exploit for a Blind SQL Injection vulnerability in WebERP version 4.15.

Readme

# Blind SQL Injection Exploit for WebERP

This is a Python3 script that demonstrates an exploit for a Blind SQL Injection vulnerability in WebERP version 4.15, initially discovered by Semen Alexandrovich Lyhin on June 10, 2019. The original exploit can be found [here](https://www.exploit-db.com/exploits/47013), and further details regarding the WebERP system can be obtained from the official WebERP website.
Overview

## Overview

The vulnerability lies in the way WebERP handles queries received in base64 encoding and passed to the unserialize() function. Notably, the script can deserialize these queries into an array without any sanitization. After that, each element of this array is fed directly into the SQL query without further checks, leaving the system prone to SQL injection attacks.
Script Operation

## This Script

This script works by exploiting the above vulnerability in the following steps:

A malicious query is prepared using the generatePayload() function. The function designs a serialized array with SQL injection payloads and encodes it into base64 format.

The script logs in to the WebERP system using the provided credentials and the getCookies() function, which retrieves session cookies.

A new supplier is added to the system using the addSupplierID() function. The supplier's name is used later as a marker to identify the system's response.

The exploit is executed using the runExploit() function. It sends a POST request to the "Payments.php" page of the WebERP system. This function embeds the base64 encoded payload as a parameter in the POST data.

The response time to the request is measured. A significantly longer response time suggests that the SQL query was delayed due to the injected sleep() command, confirming the presence of the SQL injection vulnerability.
    
## Usage

```python
python3 exploit.py <target> <path> <login> <password> <order>
```

Replace `<target>`, `<path>`, `<login>`, `<password>`, and `<order>` with your target IP address, target path, user login, user password, and company order respectively.

Example:

```python
python exploit.py 192.168.1.1 'WEBerp/' admin weberp 1
```

File Snapshot


 [4.0K]  /data/pocs/a01fea4cba4fa2e4c9d8ade4e70d55c09a98613a
├── [3.5K]  exploit.py
└── [2.1K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!