CVE-2020-7356

CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter ‘wayfinder_seqid’ in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.

Recent assessments:

h00die at June 17, 2020 3:54pm UTC reported:

At the time of writing (and exploit release) vulnerability had not been patched by vendor. Windows app which bundles Apache Tomcat and MySQL, so a nice default and consistent environment to exploit. Can be hard to detect version, it’s not readily available on any screens. language.js shows xPost 2.5, however this file may not change in the future when the patch is eventually released.

SQLi with mysql, this is a classic DUMPFILE sqli, but you need to know the webroot. Default install is C:/CayinApps/webapps/, but may possibly change install to install. Dump a JSP shellcode, load it through the web browser and done.

The SQLi is blind, sqlmap will detect it as time based, instead of a UNION as used in the exploit. I couldn’t get sqlmap to detect it as a UNIONeven when giving it more precise information.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5