Sec Bug 1: Insufficient neutralization of special elements used in SQL Command leading to SQL Injection
Submitted:
2024-03-19 16:00 UTC
From:
Moritz Öhrlein CODE WHITE GmbH
Status:
in Development
Modified:
2024-03-26 12:57 UTC
Product:
Shopfloor.guide
Affected Version:
3.1.2
CVE ID:
PENDING
Fixed Version:
3.1.3
Description
The endpoint ../smartfactory/unit.php allows the query parameter level2 to be used as a time based SQL Injection route by providing the SLEEP() command.This usage sets the SQL Server to a sleep state multiplied by an arbitrary factor due to a reuse of the respective command.
Further exploitation by crafting boolean based query that exfiltrate information or leverages binary search algorithms by using CAST() could by done.
Reproduction
Go to ../smartfactory/unit.php?level2=1+AND+(SELECT(SLEEP(2)))Result
The site will slow down or become unresponsive.Patches
Patch is beeing developed and will be released in Version 3.1.3Special Thanks
Moritz Öhrlein with CODE WHITE GmbHSonic Technology AG appreciate the efforts of its customers and partners who help us make our products more safe and reliable.