Kados R10 GreenBee SQL Injection Vulnerability

An SQL injection vulnerability has been identified in Kados R10 GreenBee. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of the boards_buttons/update_feature.php file. The vulnerability arises because the feature_id value is directly concatenated into SQL statements without proper sanitization. Exploitation of this flaw enables attackers to send crafted GET requests with UNION-based payloads to extract sensitive database information, including details about the current user, database name, and DBMS version.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could lead to unauthorized data access or manipulation. In this case, it was demonstrated to extract sensitive database information such as the current user, database name, and DBMS version.

Reproduction

To reproduce this vulnerability, send a GET request to the boards_buttons/update_feature.php endpoint with a crafted UNION-based SQL injection payload in the feature_id parameter. The injected SQL code will be executed by the application, allowing the attacker to extract sensitive database information.