Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23331: How I Found My FIRST SQL Injection CVE-2023–23331 - Fahad Almulhim (0xHunter) - Medium

Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection.

CVE
#sql#vulnerability#web#auth

Good day everyone! I hope all of you are doing well.

SQL Injection is one of the most critical vulnerabilities that can be found in web applications I will show you how we found SQL Injection vulnerability as an Authenticated user, which leads to compromising the back-end database while hunting.

What SQL Injection is and how to spot it

SQL injection is a code injection technique for applications with a database connection. The malicious user sends a crafted SQL query to extract, add, modify, or delete data from the database.

  • Vulnerable Software: Amano Xoffice parking solutions
  • Vulnerability: time-based blind SQL injection
  • Affected Version: 7.1 (7.1.3879)
  • Vendor Homepage:https://www.amano.eu/en/
  • CVE:2023–23331

Amano Xoffice parking solutions:

Amano’s Xoffice parking solutions refers to Xparc’s extensive, reliable carpark management software. This makes it the ideal solution for any type of car park.

Required Components:

Burp Suite: HTTP proxy tool for intercepting requests.

sqlmap: an open-source penetration testing tool that automates detecting and exploiting SQL injection flaws and taking over database servers.

Steps to executions:

1- Find the vulnerable parameter “dt_insert”, and try using a different SQL injection wordlist with help of an intruder in burp-suite but we got nothing.

then inject the parameter using a different SQL injection payload and I get a delayed response on the vulnerable page with HTTP 200 ok response header when using PG_SLEEP(5) payload.

2-We save the request and send it using sqlmap.

*sqlmap request.req**

In the below screenshot the request in burp-suite when injecting dt_insert parameter with the payload.

burp-suite request

As seen below the SQL injection when we send the request through sqlmap and we get a different result Such as the operating system and back end DBMS.

Using sqlmap features os-shell we are able to get command execution shell on the back-end DBMS using the SQL injection vulnerability.

POC of the shell

  • Acknowledgment:

Thanks to the team i have been working with: Saleh alfawazan and Osama Aldosari.- Saudi information and technology company — SITE.

Related news

CVE-2023-23330: Amano Xparc Local File Inclusion (CVE-2023–23330) - Saleh - Medium

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907