SQL injection in SegmentAssignmentController.php in pimcore/customer-data-framework
Apr 9th 2023
An administrator user can use the
inheritableSegments feature to execute his own blind SQL queries.
Proof of Concept
The vulnerable php code is in
src/Controller/Admin/SegmentAssignmentController.php, on method
type is not escaped and is added on the SQL query without using prepared statements. This leads to a SQL Injection on this parameter.
The query that is being executed is similar to this:
SELECT 'parentId' FROM 'TYPE + s' WHERE 'id'=PARAMETRIZED_ID
We can see it in the following screenshot, where we are printing the
$parentIdStatement variable on the HTTP Response for debugging purposes.
In that example, we introduce the
type=document and the query is appending an S and searching on
documents table. For that reason, in order to get a working SQL Injection, we need to introduce an existing and valid table, like
documents. As MySQL supports stacked queries, we can use them to execute any query we desire on database. We have to take care of the last part of the query
+ s' WHERE 'id'=PARAMETRIZED_ID.
For that reason, we can build a query like this:
SELECT 'parentId' FROM 'documents'; MALICIOUS_SQL_QUERY; SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID`
This will run 3 SQL queries on database:
SELECT 'parentId' FROM 'documents'
SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID
With this, we could run our malicious queries without errors. In order to achieve this, we must inject the following crafted payload on
documents`; MALICIOUS_SQL_QUERY; SELECT 1 FROM `document
This will raise an error on our response, because parameter type is used on line 62, after running the query against DB.
However, as we can see, our malicious query is executed.
That’s why this SQL Injection is blind, but we can insert, edit or delete any data on DB and we also can obtain data with time or error based queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.