![]() ![]() When this happens, the ORDER BY subquery containing sleep is short-circuited, and the query returns immediately instead of sleeping for 10 seconds. This happens when the authenticated user performing the injection has no permission to access any devices. There is one case where the above injection payload with the sleep doesn’t work. Confirming the Vulnerability: A Special Case So, using Burp Suite, we intercepted the HTTP PUT request and put in the payload asc, (select sleep(10) from dual) desc to confirm the vulnerability:Īs expected, the HTTP POST request to display the widget was delayed 10 seconds. And columns in ORDER BY clauses can also be subqueries. However, because ORDER BY clauses in SQL accept multiple columns, it’s possible to inject more columns via the sort argument. Normally a sort field in SQL should either be ASC or DESC. The sort field is an interesting place to execute a SQL injection. This is a second-order SQL injection because the request that delivers the injection payload (the HTTP PUT request to save the widget settings) is different from the request that executes the payload (the HTTP POST request to render the widget). On the backend, the LibreNMS application fetches the widget’s settings from the users_widgets table and maps the sort_order setting to the PHP $sort parameter. When a widget is subsequently rendered, the UI sends an HTTP POST request to fetch the data to be shown in the widget. These settings are saved as a JSON blob in the users_widgets database table. When a LibreNMS user edits a Dashboard widget in the web UI, the UI issues an HTTP PUT request containing the widget’s settings. Where is the $sort parameter coming from? In LibreNMS, we found two exploitable instances of “raw” queries in the TopDevicesController.php file where a sort order parameter, $sort, was not being sanitized: These “raw” queries offer more flexibility to developers but open up the possibility of SQL injection if inputs into them are not sanitized properly. To accommodate this, a lot of ORMs provide developers a way to bypass the ORM abstraction to create their own “raw” queries. One limitation of ORMs in general is that sometimes it’s hard to express complex SQL queries using ORM model objects. For instance, if you wanted to fetch a “User” model object using its primary key, in Eloquent you could do something like: $user = User::find($id) Īnd Eloquent would take care of sanitizing the $id input as part of constructing the SQL query to fetch the user. Using a mature, vetted ORM like Eloquent is generally good practice for preventing SQL injections because the ORM handles sanitizing inputs into SQL queries. ORMs provide a convenient abstraction for developers to interact with databases through “model” objects rather than database queries. LibreNMS uses the Laravel PHP framework and the Eloquent Object Relationship Mapper (ORM) that is built into Laravel. It’s also possible to execute a denial of service attack to bring down the application.ĬVSS vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HĪs of this writing, there are about 3K instances of LibreNMS on the Internet that can be found with the Shodan dork “html: LibreNMS”. ![]() #SQL INJECTION BURP SUITE FULL#Attackers can use this vulnerability to disclose the full contents of the LibreNMS database, which includes user password hashes and credentials used to access devices being monitored by LibreNMS. ![]() Network monitoring applications are attractive targets for attackers because they often contain a wealth of information about other devices on the network. The vulnerability is fixed in LibreNMS 21.1.0. This vulnerability is exploitable by any authenticated user inside LibreNMS. While reviewing its source code, we discovered a second-order SQL injection vulnerability, CVE-2020-35700, in the Dashboard feature. LibreNMS is an open source solution for network monitoring based on PHP, MySQL and SNMP. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |