Attack Chain

1. The attacker identifies an eNdonesia Portal 8.7 instance running a vulnerable version of the software.
2. The attacker crafts a malicious HTTP request targeting the mod.php script.
3. The attacker injects SQL code into one of the vulnerable parameters: artid, cid, did, contid, or aboutid. For example, mod.php?artid=1'+UNION+SELECT+version()--.
4. The web server processes the request and executes the injected SQL query against the database.
5. The database server executes the malicious SQL query due to the lack of proper input validation and sanitization in the mod.php script.
6. The database server returns the results of the injected SQL query to the web server. This may include sensitive information such as database version, user credentials, or other application data.
7. The web server includes the results of the SQL query in the HTTP response to the attacker.
8. The attacker parses the HTTP response to extract the sensitive information obtained from the database. The attacker may use this information for further malicious activities.

Impact

Successful exploitation of this SQL injection vulnerability can allow attackers to extract sensitive information from the eNdonesia Portal database. This may include usernames, passwords, database names, version details, and other confidential data. The extracted information can be used for subsequent attacks, such as account compromise, data theft, or further exploitation of the system.

Recommendation

• Deploy the Sigma rule to detect SQL injection attempts targeting the vulnerable parameters in mod.php.
• Apply input validation and sanitization to all user-supplied input, especially the artid, cid, did, contid, and aboutid parameters in mod.php, to prevent SQL injection attacks.
• Ensure that the eNdonesia Portal installation is updated to a version that addresses CVE-2018-25405.
• Monitor web server logs for suspicious activity, such as unusual HTTP requests or database errors, to identify potential SQL injection attempts.