MyCVE
  • Cylos
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting in undefined enum (CVE-2021-31674)
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting (CVE-2021-31673)
  • nopCommerce
    • Open Redirect on nopCommerce 4.50.1
    • Security issues in nopCommerce 4.50.1
  • SmartVista
    • SmartVista Cardgen
      • Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)
      • Path traversal in SmartVista Cardgen version 3.28.0 (CVE-2022-38613)
      • List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)
    • SmartVista SVFE2
      • SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)
      • SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38616)
  • CraftCMS
    • Server-Site Template Injection on CraftCMS 3.8.1
Powered by GitBook
On this page
  1. SmartVista
  2. SmartVista SVFE2

SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)

CVE-2022-38615

Exploit Title: SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22

Date: 26/07/2022

Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services

Vendor Homepage: https://www.bpcbt.com/

Affected Version(s): SmartVista SVFE2 version 2.2.22

Description: SmartVista SVFE2 version 2.2.22 and earlier are affected by an SQL Injection vulnerability. An authenticated users could inject SQL query to "UserForm:j_id88", "UserForm:j_id90", "UserForm:j_id92" parameters (Group ID, Service ID and Description) in /SVFE2/pages/feegroups/service_group.jsf to dump all databases.

Steps to reproduce:

  • An attacker requires an account on the SmartVista SVFE2. Attacker can use a quote character to break query string and inject sql payload to "UserForm:j_id92" parameter (Description), don't use a quote character and inject sql payload to "UserForm:j_id88", "UserForm:j_id90" parameters (Group ID, Service ID), in /SVFE2/pages/feegroups/service_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.

  • Example of injecting SQL to "UserForm:j_id92" parameter (Description):

    • 'or '1%' LIKE '1 -> Correct query -> Return all rows in current table

    • 'or '1%' LIKE '0 -> Wrong query -> Return 0 row

  • Example of injecting SQL to "UserForm:j_id88", "UserForm:j_id90" parameters (Group ID, Service ID)

    • 1 or 1=1 -> Correct query -> Return all rows in current table

    • 1 or 1=0 -> Wrong query -> Return 0 row

PreviousSmartVista SVFE2NextSQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38616)

Last updated 2 years ago