Tuesday, 6 February 2018

(#312598) GM - IDOR drives to SQLi on myConfig tool Status

It has been determined that private resources can be accessed without authentication.To understand how the application works, simply navigate through the affected domain, all resources redirects to the authentication panel without exception, so it is understood that the functionality of the application is to access the authenticated part as a user.
After detecting that the application used Oracle BEA Weblogic for the error responses so typical of this software, it proceeded to bruteforce the .jsp files in primary URL:
Resulting in a 200 OK in some cases. One of the most interesting resources found was the following
If we click on the previous link, we will see how we can access the status of the application, which in turn redirects us to the authentication page. However we can use the BurpSuite to avoid redirecting to the authentication panel:
Request:

GET /myconfig/status.jsp HTTP/1.1
Host: null.gm.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Part of Response:
<li class="ui-accordion-header ui-helper-reset ui-state-default ui-corner-all">
<a alt="news.jsp" href="?p=0">News</a>
</li>
<li class="ui-accordion-header ui-helper-reset ui-state-default ui-corner-all">
<a alt="issues.jsp" href="?p=1">Tasks</a>
</li>
<li class="ui-accordion-header ui-helper-reset ui-state-default ui-corner-all">
<a alt="information.html" href="?p=2">Information</a>
</li>
<li class="ui-accordion-header ui-helper-reset ui-state-default ui-corner-all">
<a alt="support.html" href="?p=3">Support</a>
</li>
<li class="ui-accordion-header ui-helper-reset ui-state-default ui-corner-all">
<a alt="alertMessages.jsp" href="?p=4">News Messages</a>
</li>

Therefore, this led us to obtain more resources from the private part of the application:
news.jsp
issues.jsp
information.html
support.html
alertMessages.jsp
You will see the next JavaScript code:

<script type="text/javascript">$("document").ready(function() {
$(".unsolvedIssue").click(function() {
tid = $(this).attr("id");
$("#mainContent").load("issues.jsp?i=" + tid);
window.location.hash = "issues.jsp?i=" + tid;
});
Cufon.replace('h1,h2,h3');
$(".unsolvedIssue").bind("mouseenter mouseleave", function() {
$(this).toggleClass("ui-state-default");
});
$(".searchTid").keydown(function(e) {
if (e.keyCode == 13) {
tid = $(this).val();
//alert("SELECT id FROM ticket WHERE id = '"+tid+"'");
$.post("checkSql.jsp", {sql: "SELECT id FROM ticket WHERE id = '"+ tid.replace(/'/g,"") + "'", admin: "y"}, function(html) {
//alert(html);
if ($.trim(html) != "true")
$(".findIssueAnswer").hide().text("Could not find any issue with that number! Try again.").show(100);
else {
href = "issues.jsp?i=" + tid;
if (href.indexOf("#") != -1)
href = href.substring(1);
$("#mainContent").load(href);
window.location.hash = href;
}
});
return false;
}
});
$(".unsolvedIssue").css("cursor", "pointer");
$("#changeInfo").hide();
$("#userGuide").hover(function(){
$("#changeInfo").show();
},function(){
$("#changeInfo").hide();
});
});</script>
It seems that the developer has left an SQL query in the code:
$.post("checkSql.jsp", {sql: "SELECT id FROM ticket WHERE id = '"+ tid.replace(/'/g,"") + "'", admin: "y"},
Conclusions:
The default error messages led to the detection of the technology used by the application (BEA Weblogic Oracle). The indirect access to authenticated resources gave us the possibility to see other private resources in the application and also resources with SQL query.
It was decided not to exploit the vulnerability as it is evident.

Impact

An attacker could access private resources of the application in search of failures for later exploitation, or steal private information.

#

Note:This is the original report sent to hackerone, in the following post it will be explained in more detail.