Last yean, I had some opportunities to work with ACP of axefinance at a Penetration Tester, this is one of the biggest application with massive modules I have ever met. Fortunately, I have discoverd a high impact vulnerability - Authenticated Blind SQL injection.
Axe Credit Portal (ACP) provided by axefinance is a highly flexible credit process automation and risk analytics software. It covers all aspects of the lending lifecycle: KYC, origination, application processing, credit scoring assessment, approval, limits & collateral management, document management, portfolio management, loss, recovery & provisioning, and credit administration. ACP software addresses the bank’s credit automation needs for all credit types including consumer loans, retail loans, mortgage loans, commercial loans, and corporate loans.
Description
SQL injection at Save Favorite Search function allows authenticated attacker to execute unintended queries and disclose sensitive information from DB tables via crafted requests
Affected version 3.0 or higher
Login as SaleRm user
Browse to ACL Menu -> Customer -> Search Customer
Fill in Customer CIF field and Click at Yellow Star Icon to browse to Save Favorite Search function
In Favorite Citeria Name filed, type quote character (‘) and click Save
API http://<Instance>/Persistance/SaveFavoriteSearchCriteriaContent
Vulnerable Parameter: favoriteSearchCriteriaName
Evidence to think of SQli
Use payload as a value of Vulnerable Parameter above
1' ; IF(1=1) WAITFOR DELAY '00:00:05'-- (Test)
1' ; IF ASCII(LOWER(SUBSTRING(DB_NAME(),1,1)))=97 WAITFOR DELAY '00:00:05'--
This payload will check the 1st character of current database name , if in ascii this equal 97 then this query will delay for 5s
Automation this task, we will test for all character of database name like this way
Replace 97 with number of (40,125)
After success full automation, we can compare to ascii table
Puzzle
Db_name() =
After that, I sent a report to axefinance team (5/2023), the vuln has been fixed by R&D department of axefinance.
Thanks for reading,
Happy Hunting!
Không có nhận xét nào:
Đăng nhận xét