Headline
CVE-2021-41932: CVE-2021-41932 | TeamMate+ blind SQL injection
A blind SQL injection vulnerability in search form in TeamMate+ Audit version 28.0.19.0 allows any authenticated user to create malicious SQL injections, which can result in complete database compromise, gaining information about other users, unauthorized access to audit data etc.
< BACK
A blind SQL injection vulnerability in search form in TeamMate+ Audit allows any authenticated user to create malicious SQL injections, which can result in complete database compromise, gaining information about other users, unauthorized access to audit data etc.
Vulnerable versionsThis issue was found in version 28.0.19.0 and was fixed in version 33.0.31.0. Older versions might be vulnerable also (I was not able to test older versions).Exploitation
Application contains multiple search inputs, which suffers from Blind SQL injection vulnerability, list (might not be complete):
- RAAP/Insert/Planning-Closure step/Search form
- RAAP/Insert/Key Risk area/Search form
- RAAP/Insert/Control/Search form
- RAAP/Insert/Control/Control and test procedure/Search form
- TeamInsights Reports/Get Report/Search form
Mentioned inputs can be used to insert SQL queries, which are either true or false and webpage response code can be used as oraculum:
True SQL statement in search input (for example ' OR 1=1 – ) cause the webpage to returns statuse code 500 in response.
False SQL statement in search input (for example ' OR 1=2 – ) cause the webpage to returns statuse code 200 in response.
Following principle can be used to gradually extract secrets from database, for example if database name starts on A, following query will be true: ' OR db_name() LIKE ‘A%’ – . In order to automate this process you can use tools like SQLmap.
Mitigation
Update your TeamMate+ application to version 33.0.31.0 or newer.
< BACK