Headline
CVE-2022-29306: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection · Issue #404 · ionize/ionize
IonizeCMS v1.0.8.1 was discovered to contain a SQL injection vulnerability via the id_page parameter in application/models/article_model.php.
****1.Information****
Exploit Title: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection
Exploit date: 11.04.2022
Exploit Author: [email protected]
Vendor Homepage: https://github.com/ionize/ionize
Affect Version: V1.0.8.1
Description: SQL injection in Ionize CMS 1.0.8.1 allows attackers to execute commands remotely via a sql injection request from client.
****2.Vulnerability Description****
The exploit code is located in the project’s application/models/article_model.php file
In the shift_article_ordering method, the code is as follows.
The POST parameter id_page is spliced into the sql statement without any processing or inspection, resulting in a SQL injection vulnerability.
****3.How to Exploit****
3.1Construct normal packet and send. In the image below, you can see that there is a 2 second network delay.
3.2Construct the injected data to execute sleep(1). It can be found that the delay is more than 4 seconds. It is speculated that there are 4 records in total, so sleep(1) is executed 4 times.
3.3Construct the injection again to execute sleep(3), this time with a delay of 2 + 4*3 = 14 seconds if the guess is correct.
****4.Suggestion****
Validate the parameters in the post request to avoid SQL injection
Related news
IonizeCMS v1.0.8.1 was discovered to contain a command injection vulnerability via the function copy_lang_content in application/models/lang_model.php.
Tieba-Cloud-Sign v4.9 was discovered to contain a cross-site scripting (XSS) vulnerability via the function strip_tags.
HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.
IonizeCMS v1.0.8.1 was discovered to contain a SQL injection vulnerability via the id_page parameter in application/models/article_model.php.