Cyclope Employee Surveillance Solution SQL Injection Vulnerability Allowing Remote Code Execution

A SQL injection vulnerability has been identified in Cyclope Employee Surveillance Solution versions 6.0, 6.1.0, 6.2.0, 6.2.1, and 6.3.0. The flaw resides in the login mechanism, where the username parameter in the auth-login POST request is not properly sanitized. This oversight allows attackers to inject arbitrary SQL statements, which can be exploited to write and execute a malicious PHP file on the server. The executed code runs under the SYSTEM user context, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running under the SYSTEM user context.

Reproduction

To reproduce this vulnerability, send a POST request to the application's login endpoint with an injected SQL payload in the username parameter. The payload should exploit the SQL injection flaw by, for example, using a UNION SELECT injection to manipulate the SQL query. Once the injection is successful, the same technique can be used to write a PHP payload to the server's file system, which can then be executed to achieve remote code execution.