SQL injection in Data Objects function in pimcore/pimcore
Jul 14th 2023
Log in as an admin, go to Data Objects function, and perform a sort action. Observer the request on Burpsuite and injection point is the 'sort' parameter
Proof of Concept
POC request that makes the application sleep for 5 seconds (Data Objects function) payload: %5b%7b%22property%22%3a%22id%3bselect%20sleep(5)--%20-%22%2c%22direction%22%3a%22DESC%22%7d%5d
Using some SQL exploitation tools such as sqlmap, an attacker can enumerate all information in the database, alter data or perform dos on the backend database.