Chủ Nhật, 14 tháng 4, 2024

[CVE-2024-22856] Authenticated Blind SQL injection in Axe Credit Portal

 

Last yean, I had some opportunities to work with ACP of axefinance at a Penetration Tester, this is one of the biggest application with massive modules I have ever met. Fortunately, I have discoverd a high impact vulnerability - Authenticated Blind SQL injection.

Axe Credit Portal (ACP) provided by axefinance is a highly flexible credit process automation and risk analytics software. It covers all aspects of the lending lifecycle: KYC, origination, application processing, credit scoring assessment, approval, limits & collateral management, document management, portfolio management, loss, recovery & provisioning, and credit administration. ACP software addresses the bank’s credit automation needs for all credit types including consumer loans, retail loans, mortgage loans, commercial loans, and corporate loans.

 Description

  •  SQL injection at Save Favorite Search function allows authenticated attacker to execute unintended queries and disclose sensitive information from DB tables via crafted requests


  • Affected version 3.0 or higher




Step to reproduce & Poc

  • Login as SaleRm user

  • Browse to ACL Menu -> Customer -> Search Customer

  • Fill in Customer CIF field and Click at Yellow Star Icon to browse to Save Favorite Search function

  • In Favorite Citeria Name filed, type quote character (‘) and click Save

    • API http://<Instance>/Persistance/SaveFavoriteSearchCriteriaContent

    • Vulnerable Parameter:  favoriteSearchCriteriaName 

    • Evidence to think of SQli

  • Use payload as a value of Vulnerable Parameter above

    • 1' ; IF(1=1) WAITFOR DELAY '00:00:05'-- (Test)

    • 1' ; IF ASCII(LOWER(SUBSTRING(DB_NAME(),1,1)))=97 WAITFOR DELAY '00:00:05'--

      • This payload will check the 1st character of current database name , if in ascii this equal 97 then this query will delay for 5s


    • Automation this task, we will test for all character of database name like this way

      • Replace 97 with number of (40,125)

    • After success full automation, we can compare to ascii table

    • Puzzle

      • Db_name() = 


After that, I sent a report to axefinance team (5/2023), the vuln has been fixed by R&D department of axefinance.


Thanks for reading,

Happy Hunting!

Không có nhận xét nào:

Đăng nhận xét

Phổ Biến