Last active
May 9, 2022 16:26
-
-
Save aliceicl/b2f25f3a0a3ba9973e4977f922d04008 to your computer and use it in GitHub Desktop.
Findings for CVE-2022-30335
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Product Description] | |
Bonanza Wealth Management System (BWM) 7.3.2 allows SQL injection via the login form. Users who supply the application with a SQL injection payload in the User Name textbox could collect all passwords in encrypted format from the Microsoft SQL Server component. | |
------------------------------------------ | |
[Vulnerability Type] | |
SQL Injection | |
------------------------------------------ | |
[Vendor of Product] | |
Wealth Management System Limited | |
------------------------------------------ | |
[Affected Product Code Base] | |
Bonanza Wealth Management System(BWM) - version 7.3.2 | |
------------------------------------------ | |
[Affected Component] | |
Login Form | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Escalation of Privileges] | |
true | |
------------------------------------------ | |
[Impact Information Disclosure] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
SQL injection over login form | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
Processing | |
------------------------------------------ | |
[PoC] | |
After running the application, wait until the login window shows on the screen. | |
1) Supply User Name text box with SQL injection payload such as a' OR 'g'='g-- . Users could not type spacebar but copying the payload and paste it on this textbox did work. | |
2) Type any non-blank input on Password textbox | |
3) Submit the request by clicking OK button and capture the result returned from SQL server. Echo Mirage or any network sniffing tools could reveal a series of cipher text passwords bound to each user on this application. | |
------------------------------------------ | |
[Reference] | |
https://incognitolab.com | |
https://www.wealth.co.th/products/bonanza-wealth-management/ | |
------------------------------------------ | |
[Discoverer] | |
Pornsook Kornkitichai | |
------------------------------------------ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment