Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.
CVE IDCVE-2020-24600
CVSS v3.19.8 Critical
VendorShilpi
CWECWE-89
DisclosedJul 1, 2020
StatusFixed
01/Description
What this actually is.
Technical background, root cause, and affected surface.
The GET request parameters in servlet/capexweb.cap_sendMail are vulnerable to SQL Injection. An unauthenticated user can take over the database of the application.
Vendor
Shilpi
Affected Product
CAPExWeb
CVE
CVE-2020-24600
Securin ID
2020-CSW-01-1038
Status
Fixed
Date
July 1, 2020
Severity
Critical
CVSS Score
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-89
02/Proof of Concept
From one request to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
01The following vulnerability was tested on CAPExWeb version 1.1 Product.02Figure-1: Default login page of the application.03Figure-2: Login form with invalid credentials.04Figure-3: Response shows the credentials are invalid.05Note: We cannot navigate to the capforgotpassword.jsp directly, as the application takes the user id from the previously submitted request.06Figure-4: Response shows user-id as null if we navigate to capforgotpassword.jsp directly.07Figure-5: Forgot password page with user-id value submitted in the login page. Now, click on the send request button.08Figure-6: Forgot password request09Figure-7: Response from the server for invalid user id.10Figure-8: Replay of forgot password page with user-id value containing a single quote returns ORA string not properly terminated error message from the database.11Figure-9: Replay of forgot password page with user-id value containing two quotes returns valid error message from the application.12Figure-10: Replay of forgot password page with user-id value contains comments to truncate the query after user-id returns missing right parenthesis from the database server.13Figure-11: Replay of forgot password page with user-id value contains a single quote and right parenthesis returns quoted string not properly terminated error message from the database server.14Figure-12: Replay of forgot password page with user-id value contains a single quote, right parenthesis, and comment returns missing right parenthesis error message from the database server.15Note: After analyzing the responses for different payloads, the payload needs two right parentheses to work.16Figure-13: Replay of forgot password page with user-id value contains a single quote, two right parentheses, and comment returns a valid error message from the application.17Note: The proper execution of functionality sends an email or SMS to the user. In production servers, checking this issue may impact all the users. As we do not have a valid user id, trying for always real conditions impacts all the users in the application. So, to minimize the impact on one user, use the ROWNUM condition.18Figure-14: Request with ROWNUM condition as part of the payload.19Figure-15: User id value with always true condition and ROWNUM condition does not show invalid user id or pan.20Figure-16: The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner)%20from%20v$version))– in request to retrieve the data from the database in error information.
Figure-17: The available databases in the Oracle database server.
03/Impact
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
04/Remediation
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.
Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-24600, contact disclose@securin.io
05/Disclosure Timeline
Vendors moved in days. Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
July 01, 2020
Discovered in our research lab
July 17, 2020
Followed up with the Vendor
July 29, 2020
Followed up with the Vendor
October 7, 2020
Informed CERT-in about the vulnerability
November 27, 2020
CERT-in confirmed the vulnerability fix
Timeline recorded · Disclosure coordinated by Securin
06/References
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.