Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2020-7356

Disclosure Date: April 06, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter ‘wayfinder_seqid’ in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.

Add Assessment

5
Ratings
Technical Analysis

At the time of writing (and exploit release) vulnerability had not been patched by vendor. Windows app which bundles Apache Tomcat and MySQL, so a nice default and consistent environment to exploit. Can be hard to detect version, it’s not readily available on any screens. language.js shows xPost 2.5, however this file may not change in the future when the patch is eventually released.

SQLi with mysql, this is a classic DUMPFILE sqli, but you need to know the webroot. Default install is C:/CayinApps/webapps/, but may possibly change install to install. Dump a JSP shellcode, load it through the web browser and done.

The SQLi is blind, sqlmap will detect it as time based, instead of a UNION as used in the exploit. I couldn’t get sqlmap to detect it as a UNIONeven when giving it more precise information.

General Information

Vendors

  • Cayin Technology

Products

  • Cayin xPost

Additional Info

Technical Analysis