Listen to this Post
The vulnerability exists in `/modules/stampe/actions.php` within the `update` case. User-controlled input from the `module` POST parameter is directly concatenated into an SQL `UPDATE` query without sanitization or prepared statements. While the `predefined` parameter is validated with intval(), the `module` parameter only undergoes an `!empty()` check. This allows an authenticated attacker to inject arbitrary SQL commands. The exploit uses error-based techniques with MySQL’s UPDATEXML(), EXTRACTVALUE(), or `GTID_SUBSET()` functions. By crafting a malicious payload in the `module` parameter, the attacker forces the database to execute SQL and return results within MySQL error messages, enabling data exfiltration.
Platform: OpenSTAManager
Version: Vulnerable versions
Vulnerability: SQL Injection
Severity: Critical
date: 2024-05-17
Prediction: Patch within 30 days
What Undercode Say:
python3 exploit_stampe_sqli.py -u admin -p password --url http://target
$dbo->query('UPDATE `zz_prints` SET `predefined` = 0 WHERE `id_module` = '.post('module'));
How Exploit:
Authenticated attack required. Attacker sends POST request to `/modules/stampe/actions.php` with malicious `module` payload. Exploit uses `UPDATEXML()` for error-based data extraction. Script automates login, injection, and parsing of error messages containing database information.
Protection from this CVE
Use prepared statements. Apply input validation. Sanitize `module` parameter. Update to patched version. Implement WAF rules.
Impact:
Data exfiltration possible. Authentication bypass potential. Full database compromise. Admin hash extraction. Complete system takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

