Headline
CVE-2023-33557: fuel-cms-sqlinjection/README.md at main · bcvgh/fuel-cms-sqlinjection
Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
https://github.com/daylightstudio/FUEL-CMS download source code
login required.
fuel/modules/fuel/controllers/Blocks.php
line 64 import_view method starts
Line 70 receives the id parameter of the post request and enters the import method
fuel/modules/fuel/libraries/Fuel_blocks.php
Then enter the find_by_key method on line 307
Because the find_by_key method does not exist, enter the __call method of the current object
Enter line 4421 of MY_Model.php, pass parameters to $this->db->where() method
At this time, the external input string is spliced into the SQL statement through the $this->db->where() method, But at this time, the external input will be surrounded by single quotes because of codeigniter’s safe processing of the where method, so the injection has not yet been caused…
Until line 4450, the user’s external input is stored in the $other_args array at this time, and has not been processed safely
Enter the $this->db->order_by() method, at this time the external input is spliced into the sql statement again, and there is no single quotation mark included
Finally, the $this->db->get() method executes the database command, causing sql injection
sqlmap: