Headline
CVE-2022-34956: SQL Injection Vulnerabilities · Issue #261 · Kliqqi-CMS/Kliqqi-CMS
Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection vulnerability via the page_size parameter at load_data_for_groups.php.
There are 2 time-based SQL Injection Vulnerabilities, in /load_data_for_groups.php and /load_data_for_topusers.php respectively.
ENV:
ubuntu14.04
php 5.5.9
mysql 5.5.62
SQL Injection in /load_data_for_groups.php
vulnerable code:
Line16: the $page_size is user controllable and directly used in sql statement which may cause a time-based sql injection
POC:
trigger the sql injection(my mysql version is 5.5.62):
do not trigger:
SQL Injection in /load_data_for_topusers.php
vulnerable code:
Line30: the $page_size is user controllable and directly used in sql statement which may cause a time-based sql injection
POC:
trigger the sql injection(my mysql version is 5.5.62):
do not trigger: