Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] CVE-2020-7229, SQL injection in search function #7

Closed
gwen001 opened this issue Jan 10, 2020 · 5 comments
Closed

[security] CVE-2020-7229, SQL injection in search function #7

gwen001 opened this issue Jan 10, 2020 · 5 comments

Comments

@gwen001
Copy link

@gwen001 gwen001 commented Jan 10, 2020

Description: An issue was discovered in Simplejobscript.com SJS before 1.65. There is
unauthenticated SQL injection via the search engine. The parameter is landing_location. The function is countSearchedJobs(). The file is _lib/class.Job.php.

Environment:

  • Version: 1.64
  • OS: Ubuntu 16.10
  • Web server: Apache 2.4.18
  • PHP: 5.6.40
  • Database: MySQL 5.7.28
  • URL: /searched

Payload: landing_title=aaa&landing_location=77+or+(select+(sleep(2)))

Steps to Reproduce:
$ sqlmap --threads=10 --batch --dbms=mysql -u "http://local.simplejobscript.net/searched" --data="landing_title=aaa&landing_location=77" -p landing_location --banner

PoC:
sjs-sqli-search

@niteosoft

This comment has been minimized.

Copy link
Owner

@niteosoft niteosoft commented Jan 13, 2020

Hi,

how can we test this vulnerability live at website when searching? (not from command line tool or some website scans)
We have run the tests and tried to input SQL queries which have been successfully escaped when processed.

Let me know so we can look more closely into this.

Thank you for reporting.

@gwen001

This comment has been minimized.

Copy link
Author

@gwen001 gwen001 commented Jan 13, 2020

Use the following POST datas on your demo homepage
https://demo.simplejobscript.com/

Datas: landing_title=aaa&landing_location=77+or+(select+(sleep(1)))%23

You'll get a blank page which is enough to prove there is something wrong.
Using sqlmap on it would make it much easier:

sjs-demo-sqli

@niteosoft

This comment has been minimized.

Copy link
Owner

@niteosoft niteosoft commented Jan 15, 2020

Hello,

could you please try and open "controllers/page_landing_searched.php" and add:

escape($_POST);
$landing_location = $db->getConnection()->real_escape_string($landing_location);

the bolded text? Or pull the latest commit. To see if this helps prevent the SQL injection.
The location is a selectbox where input cannot be entered so I suspect this SQL would possible be pushed into website only be experienced user from a command line request.

Maros

@gwen001

This comment has been minimized.

Copy link
Author

@gwen001 gwen001 commented Jan 15, 2020

Sorry, but that fix doesn't work because there is nothing to escape in the evil query, no single/doubles quotes. However since $landing_location is supposed to be an integer, I would prefer the use of a cast:

$landing_location = (int)$landing_location;

It works pretty well.

To test all of this I strongly recommend to try Sqlmap
You will see how easy it is to dump the whole database with that tool.

@niteosoft

This comment has been minimized.

Copy link
Owner

@niteosoft niteosoft commented Jan 16, 2020

Hello and thank you for your help!
Appreciated.

I have make the change and typecasted it to integer.
Change will be publicly released in the product in a new version of SJS 1.66 in about a month.

I assume the issue can be closed now. Do let us know if this needs more attention and
thank you once again for reporting.

@niteosoft niteosoft closed this Jan 16, 2020
@gwen001 gwen001 changed the title SQL injection in search function [security] SQL injection in search function Jan 17, 2020
@gwen001 gwen001 changed the title [security] SQL injection in search function [security] CVE-2020-7229 - SQL injection in search function Jan 19, 2020
@gwen001 gwen001 changed the title [security] CVE-2020-7229 - SQL injection in search function [security] CVE-2020-7229, SQL injection in search function Jan 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.