Sonic Technology CVE 2024 1

Sec Bug 1: Insufficient neutralization of special elements used in SQL Command leading to SQL Injection

Submitted:

2024-03-19 16:00 UTC

From:

Moritz Öhrlein CODE WHITE GmbH

Status:

in Development

Modified:

2024-03-26 12:57 UTC

Product:

Shopfloor.guide

Affected Version:

3.1.2

CVE ID:

PENDING

Fixed Version:

3.1.3

Description

The endpoint ../smartfactory/unit.php allows the query parameter level2 to be used as a time based SQL Injection route by providing the SLEEP() command.
This usage sets the SQL Server to a sleep state multiplied by an arbitrary factor due to a reuse of the respective command.
Further exploitation by crafting boolean based query that exfiltrate information or leverages binary search algorithms by using CAST() could by done.

Reproduction

Go to ../smartfactory/unit.php?level2=1+AND+(SELECT(SLEEP(2)))

Result

The site will slow down or become unresponsive.

Patches

Patch is beeing developed and will be released in Version 3.1.3

Special Thanks

Moritz Öhrlein with CODE WHITE GmbH
Sonic Technology AG appreciate the efforts of its customers and partners who help us make our products more safe and reliable.