WeGIA Time-Based Blind SQL Injection Vulnerability in Report Generation Endpoint

A time-based blind SQL injection vulnerability has been identified in WeGIA, a web management tool for charitable institutions. The issue resides in the 'almox' parameter of the '/controle/relatorio_geracao.php' endpoint. This vulnerability allows attackers to inject arbitrary SQL queries, which could lead to unauthorized data access or further exploitation, depending on the database configuration. The vulnerability exists in version 3.3.3 and has been patched in version 3.4.1.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data such as user information, passwords, and logs. It also allows for database enumeration, including schemas, tables, users, and versions. Depending on the database configuration, this vulnerability could be escalated to remote code execution. Additionally, if chained with other vulnerabilities, it could lead to a full compromise of the application.

Reproduction

The vulnerability can be reproduced by sending a request to the '/controle/relatorio_geracao.php' endpoint with a crafted SQL payload in the 'almox' parameter. The injection can be confirmed by using time-based inference, such as the SLEEP() function, to observe delays in the application's response. This exploitation does not require authentication, making it accessible to all users.

Remediation

Users can update to WeGIA version 3.4.1 to address this vulnerability.