CVE-2023-36284
📋 TL;DR
CVE-2023-36284 is an unauthenticated time-based SQL injection vulnerability in Webkul QloApps 1.6.0 that allows remote attackers to bypass authentication and extract entire database contents via GET parameters. This affects all organizations running vulnerable QloApps installations without proper input validation. Attackers can exploit this without credentials to steal sensitive data.
💻 Affected Systems
- Webkul QloApps
📦 What is this software?
Qloapps by Webkul
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal data, payment information, and administrative access leading to full system takeover.
Likely Case
Data exfiltration of sensitive information including user credentials, personal identifiable information, and business data.
If Mitigated
Limited or no impact with proper input validation, parameterized queries, and web application firewall rules in place.
🎯 Exploit Status
Time-based SQL injection requires no authentication and can be automated. Public proof-of-concept exists in the provided references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1 or later
Vendor Advisory: https://webkul.com/blog/security-update-qloapps/
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download the latest version from Webkul. 3. Replace vulnerable files with patched versions. 4. Verify parameterized queries are implemented for date_from, date_to, and id_product parameters.
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns in GET parameters
ModSecurity rule: SecRule ARGS_GET "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
nginx: location ~* \.php$ { set $block_sql_injection 0; if ($args ~ "(?i)(union.*select|sleep\(|benchmark\(|date_from|date_to|id_product)") { set $block_sql_injection 1; } if ($block_sql_injection = 1) { return 403; } }
Input Validation Filter
allAdd input validation for vulnerable parameters before processing
PHP filter: if (!preg_match('/^[0-9\-]+$/', $_GET['date_from'])) { die('Invalid input'); }
if (!is_numeric($_GET['id_product'])) { die('Invalid product ID'); }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all GET parameters
- Deploy web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Test with time-based payload: http://target.com/page.php?date_from=1' AND SLEEP(5)--&date_to=test&id_product=1Check Version:
Check QloApps version in admin panel or read configuration filesVerify Fix Applied:
Test with same payload - should return error or reject input without delay📡 Detection & Monitoring
Log Indicators:
- Multiple requests with SQL keywords in GET parameters
- Unusual delays in response times (time-based injection)
- Requests to pages with date_from, date_to, id_product parameters containing special characters
Network Indicators:
- HTTP GET requests containing SQL injection patterns
- Repeated requests with varying time delays in parameters
SIEM Query:
source="web_logs" AND (uri_query="*sleep(*" OR uri_query="*benchmark(*" OR uri_query="*date_from*'*" OR uri_query="*date_to*'*" OR uri_query="*id_product*'*")