Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection #404

Open
EricFrank900528 opened this issue Apr 11, 2022 · 1 comment

Comments

@EricFrank900528
Copy link

EricFrank900528 commented Apr 11, 2022

1.Information

Exploit Title: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection
Exploit date: 11.04.2022
Exploit Author: ericfrank900528@gmail.com
Vendor Homepage: https://github.com/ionize/ionize
Affect Version: V1.0.8.1
Description: SQL injection in Ionize CMS 1.0.8.1 allows attackers to execute commands remotely via a sql injection request from client.

2.Vulnerability Description

The exploit code is located in the project's application/models/article_model.php file
In the shift_article_ordering method, the code is as follows.
The POST parameter id_page is spliced into the sql statement without any processing or inspection, resulting in a SQL injection vulnerability.
shift_article_ordering_source

3.How to Exploit

3.1Construct normal packet and send. In the image below, you can see that there is a 2 second network delay.
shift_article_ordering_prove1

3.2Construct the injected data to execute sleep(1). It can be found that the delay is more than 4 seconds. It is speculated that there are 4 records in total, so sleep(1) is executed 4 times.
shift_article_ordering_prove2

3.3Construct the injection again to execute sleep(3), this time with a delay of 2 + 4*3 = 14 seconds if the guess is correct.
shift_article_ordering_prove3

4.Suggestion

Validate the parameters in the post request to avoid SQL injection

@partikule
Copy link
Member

Feel free to correct it : The project isn't maintained since 2017 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants