CVE-2022-44003 An issue was discovered in BACKCLICK Professional 5.9.63

Exploitation of this issue could lead to information disclosure, access to unauthorized data, or even remote code execution. The following is a list of places where this flaw is possible.

In order to exploit the issue, an attacker must be able to craft a special SQL query in the context of the application. An example of such a query is as follows.

INSERT INTO `accounts` (`id`, `name`) VALUES (‘%1’, ‘%2’);

If SQL injection is leveraged, the above query can be altered to the following.

INSERT INTO `accounts` (`id`, `name`) VALUES (‘%1’, ‘%2’);
ROUND(`id`)

If this query is entered into the application, an attacker can obtain access to the SQL database of the application. The attacker can also execute any arbitrary SQL code. If the application is running on a web server, an attacker may be able to obtain administrator privileges. Additionally, an attacker may be able to obtain access to another system on the same network as the web server.

The following is a list of places where the issue may occur

Exploitation of this issue may occur in the following places:
-The application running on a web server
-An environment where an attacker has executed code on the same network as the web server.
-An environment where an attacker has admin privileges

Mitigation Strategies

Mitigation strategies are limited to a certain extent. The following is a list of mitigation measures that can be taken, but will not completely eliminate the risk.

SQL Injection in the Application

SQL injection is a type of injection attack that exploits vulnerabilities in the backend of web applications. SQL injections can be caused by errors in input validation, errors in escaping data, or vulnerabilities in how SQL statements are processed by the application.

To exploit this issue, an attacker must inject a specially crafted SQL query into the application's backend. This can be accomplished through various methods such as:
- Exploiting a SQL injection vulnerability through cross-site scripting (XSS)
- Object Injection
- Command Injection

SQL Injection Examples

An attacker could access the SQL database of the application.
An attacker could execute any arbitrary SQL code on the server.
An attacker could obtain administrator privileges on the web server and other systems on the same network.

Timeline

Published on: 11/16/2022 23:15:00 UTC
Last modified on: 11/20/2022 14:02:00 UTC

References

• https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt
• https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44003