Diskover Web Boolean-Based Blind SQL Injection Vulnerability in Elasticsearch Configuration

A boolean-based blind SQL injection vulnerability has been identified in Diskover Web version 2.3.0 Community Edition. The issue arises in the Elasticsearch configuration form, where unsanitized user input in various POST parameters can be manipulated to inject arbitrary SQLite expressions. This exploitation allows an attacker to infer or extract sensitive information from the database without authentication. The vulnerability is rooted in inadequate input validation and parameterization in the application's JSON-based query construction.

Impact

Exploitation of this vulnerability allows for boolean-based blind SQL injection, where an attacker can infer information from the database by crafting specific SQL payloads that exploit the application's query handling.

Reproduction

To reproduce this vulnerability, access the Elasticsearch configuration form in Diskover Web v2.3.0 Community Edition. In the form, input crafted SQL payloads into the vulnerable POST parameters, such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, and ES_CHUNKSIZE. These payloads should be designed to exploit the application's JSON query construction by injecting SQLite expressions that can be used to extract or infer database information. Once the payloads are submitted, the injected SQL will be executed, allowing the attacker to retrieve the desired information from the database.