Skip to content

IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection #404

Open
@EricFrank900528

Description

1.Information

Exploit Title: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection
Exploit date: 11.04.2022
Exploit Author: ericfrank900528@gmail.com
Vendor Homepage: https://github.com/ionize/ionize
Affect Version: V1.0.8.1
Description: SQL injection in Ionize CMS 1.0.8.1 allows attackers to execute commands remotely via a sql injection request from client.

2.Vulnerability Description

The exploit code is located in the project's application/models/article_model.php file
In the shift_article_ordering method, the code is as follows.
The POST parameter id_page is spliced into the sql statement without any processing or inspection, resulting in a SQL injection vulnerability.
shift_article_ordering_source

3.How to Exploit

3.1Construct normal packet and send. In the image below, you can see that there is a 2 second network delay.
shift_article_ordering_prove1

3.2Construct the injected data to execute sleep(1). It can be found that the delay is more than 4 seconds. It is speculated that there are 4 records in total, so sleep(1) is executed 4 times.
shift_article_ordering_prove2

3.3Construct the injection again to execute sleep(3), this time with a delay of 2 + 4*3 = 14 seconds if the guess is correct.
shift_article_ordering_prove3

4.Suggestion

Validate the parameters in the post request to avoid SQL injection

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions