Security Breach: Detecting and Exploiting SQL Injection in Contact Groups
Suspect a potential SQL injection in the macros used in Contact groups? Learn how to identify and exploit it through blind SQL injection techniques. Follow step-by-step instructions to execute a payload that alters user data and gain unauthorized access. Stay vigilant and proactively safeguard your data integrity.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
1. Broken Access Control 3. Injection 4. Insecure Design
We suspect that one of the macros used in Contact groups contains SQL injection, try to find and exploit it! This is a blind SQL injection - you won t see the result in response, but injected query will execute on background. If the query fails, it will be logged to Event log
1. Go to Contact Groups, create new group and go to Conditions. 2. Select 'Contact has value in field' macro. It allows us to insert arbitrary input before operator in where clause (e.g. WHERE <field> contains <value>). You can identify it by inserting `, recalculating group and then checking event log. 3. Final payload (change FirstName of the administrator account) 1=1; UPDATE CMS_User SET FirstName='Joe' WHERE UserID = 53-- Finish the WHERE clause of the original query with any True statement, e.g. 1=1 Add ; to finish first query Arbitrary query to drop table, dump data or anything Comment out everything else with --
Event log user@localhost.local Pass.word1 Digital Channel Manager Users
Users Roles Event log
administrator Users
Users email email queue
<img src=0 onerror=alert(1) /> Contact management
http(s):// Forms application
file upload xml file Cafe
/api/cmd allowedExtensions 3. Resend / edit change png to xml (/getmedia/.../payload.xml