SQL injection on the parameter "rows".

[m3n0sd0n4ld]

Describe the bug
It has been evidenced that the "rows" parameter in "/admin/XXXXXXXX/jsonGrid" queries is vulnerable to SQL injection attacks, this would allow an attacker to extract sensitive and relevant information stored in the database.

To Reproduce
Steps to reproduce the behavior:

The following illustration shows the evidence of the server response with a SQL error when providing a single quotation mark in the "rows" parameter, returning the query being performed by the application:

Through an automated tool, it is shown that a remote and unauthenticated attacker would be able to identify two possible types of SQL injections and extract the databases.

Expected behavior
This resource should not be visible to unauthenticated users in the application (reported in the issue 259).

On the other hand, mitigation guidelines should be followed:

• Use pre-built statements, parameterized queries or stored procedures to ensure that SQL elements in user input fields are never treated as genuine queries.
• Validate user input using an allow list to prevent unwanted data from being sent to the database.
• Display only generic error messages to users (hackers can get a lot of information from specific error messages related to failed queries).

[valeLAcosta]

Hello,
Could you tell me what tools you used to find and exploit the vulnerability? So we can reproduce and fix the problem.
Thanks

[m3n0sd0n4ld]

Hi,

Sure, I used Ghauri, but SQLMap should work as well.

Anyway, you have the manual test in which you print the whole SQL query with the affected parameter.

Thanks to you for taking the time to answer and provide a solution.

Best regards,

[m3n0sd0n4ld]

Hi,

From INCIBE, they indicate me the following identifier CVE-2023-3039 reserved for this vulnerability, this will be effective as of 07/20/2023.

Best regards,