Kimai SQL Injection Vulnerability in db_restore.php

A SQL injection vulnerability has been identified in Kimai versions 0.9.2.x, specifically through the db_restore.php endpoint. This vulnerability allows unauthenticated attackers to inject arbitrary SQL queries via the dates[] POST parameter. Under certain environmental conditions, the flaw can be exploited to write files using the INTO OUTFILE clause, potentially leading to remote code execution by placing a PHP payload in a web-accessible temporary directory.

Impact

Exploitation of this vulnerability allows for SQL injection, with the possibility of writing files to the server using the INTO OUTFILE directive. If a PHP payload is written to a directory accessible via the web, it can be executed, leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the db_restore.php endpoint with a crafted SQL injection payload in the dates[] parameter. The injection can be verified by checking if the payload is executed, such as by writing a web shell that can be accessed via the web server.