SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38618)

CVE-2022-38618

Exploit Title: SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22

Date: 26/07/2022

Exploit Author: Trong Pham aka Dtro of VietSunshine Cyber Security Services

Vendor Homepage: https://www.bpcbt.com/

Affected Version(s): SmartVista SVFE2 version 2.2.22

Description: SmartVista SVFE2 version 2.2.22 and earlier are affected by an SQL Injection vulnerability. An authenticated users could inject SQL query to "UserForm:j_id88,UserForm:j_id90,UserForm:j_id92" parameters in /SVFE2/pages/feegroups/country_group.jsf to dump all databases.

Steps to reproduce:

  • An attacker requires an account on the SmartVista SVFE2. An attacker can use a quote character to break query string and inject sql payload to "UserForm:j_id88,UserForm:j_id90,UserForm:j_id92" parameter in /SVFE2/pages/feegroups/country_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.

  • Example of injecting SQL to "UserForm:j_id90" parameter:

    • X'||(SELECT+CASE+WHEN+(user='Right_user')+THEN+TO_CHAR(1/0)+ELSE+NULL+END+FROM+dual)||'X -> Correct query -> return data

    • X'||(SELECT+CASE+WHEN+(user='Wrong_user')+THEN+TO_CHAR(1/0)+ELSE+NULL+END+FROM+dual)||'X -> Wrong query -> Return data with error messages (Database error "ORA-01476")

Last updated