Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64

Summary

ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php.

Details

In web/ajax/event.php, I found the vulnerable code:

case 'removetag' :
    $tagId = $_REQUEST['tid'];
    dbQuery('DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?', array($tagId, $_REQUEST['id']));
    $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
    $rowCount = dbNumRows($sql);
    if ($rowCount < 1) {
      $sql = 'DELETE FROM Tags WHERE Id = ?';
      $values = array($_REQUEST['tid']);
      $response = dbNumRows($sql, $values);
      ajaxResponse(array('response'=>$response));
    }

Notice that $tagId is put directly inside $sql command and then execute. So we can confirm it is vulnerable to SQL Injection.

PoC

Although it is not possible to execute the command directly through directory, after reading the documents, here is the url:

http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1

and the function tid is vulnerable to SQL Injection.
I used sqlmap to automate the exploitation process through this command:

sqlmap -u 'http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1'

Here is the PoC video:
https://github.com/user-attachments/assets/3cc50e51-68cf-4540-8225-4288f73e0c08

Impact

Total control of SQL Databases: loss of data confidentiality and integrity, denial of service with SLEEP command.

Mitigation

Here is the code modification to patch the vulnerability:

$sql = "SELECT * FROM Events_Tags WHERE TagId = ?";
$rowCount = dbNumRows($sql, $tagId);

The code update the parameterized query through the vulnerable component.