Attack Chain

1. An attacker authenticates to the MyT-PM 1.5.1 application.
2. The attacker crafts a malicious POST request targeting the /charge/admin endpoint.
3. Within the POST request, the attacker injects SQL code into the Charge[group_total] parameter.
4. The application processes the request without properly sanitizing the Charge[group_total] parameter.
5. The injected SQL code is executed against the underlying database.
6. The attacker leverages the SQL injection to extract sensitive data (e.g., user credentials, financial information) using error-based, time-based blind, or stacked query payloads.
7. The attacker may further manipulate data within the database, potentially altering records or creating new entries.
8. The attacker achieves complete control over the database, potentially leading to full system compromise.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive information, such as user credentials, financial records, and other confidential data stored within the MyT-PM database. Attackers may also be able to modify or delete data, leading to data integrity issues and potential disruption of business operations. This could result in financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

• Apply patches or upgrade to a secure version of MyT-PM that addresses CVE-2019-25713.
• Deploy the provided Sigma rule to detect potentially malicious requests containing SQL injection attempts targeting the /charge/admin endpoint and the Charge[group_total] parameter.
• Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in MyT-PM and other web applications.
• Monitor web server logs for suspicious POST requests to /charge/admin with unusual characters or SQL keywords in the Charge[group_total] parameter.