CVE-2022-29306: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection · Issue #404 · ionize/ionize

****1.Information****

Exploit Title: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection
Exploit date: 11.04.2022
Exploit Author: [email protected]
Vendor Homepage: https://github.com/ionize/ionize
Affect Version: V1.0.8.1
Description: SQL injection in Ionize CMS 1.0.8.1 allows attackers to execute commands remotely via a sql injection request from client.

****2.Vulnerability Description****

The exploit code is located in the project’s application/models/article_model.php file
In the shift_article_ordering method, the code is as follows.
The POST parameter id_page is spliced into the sql statement without any processing or inspection, resulting in a SQL injection vulnerability.

****3.How to Exploit****

3.1Construct normal packet and send. In the image below, you can see that there is a 2 second network delay.

3.2Construct the injected data to execute sleep(1). It can be found that the delay is more than 4 seconds. It is speculated that there are 4 records in total, so sleep(1) is executed 4 times.

3.3Construct the injection again to execute sleep(3), this time with a delay of 2 + 4*3 = 14 seconds if the guess is correct.

****4.Suggestion****

Validate the parameters in the post request to avoid SQL injection