📄 Geeklog 2.2.1 Blind SQL Injection

Geeklog 2.2.1 - Blind SQL Injection
    Advisory ID: RO-20-002
    Severity: Critical
    Vendor: Geeklog
    Product: Geeklog CMS
    Version: 2.2.1
    
    
    Overview #
    
    A Blind SQL Injection vulnerability exists in Geeklog CMS version 2.2.1. The vulnerability allows remote attackers to execute arbitrary SQL commands via the uid parameter in comment.php.
    
    
    Vulnerability Details #
    
    Affected Versions: 2.2.1 and earlier
    
    Location: comment.php
    
    Affected Parameter: uid
    
    Root Cause: Insufficient input validation on the uid parameter allows SQL Injection attacks.
    
    
    Exploitation Requirements #
    
        No authentication required
        Direct access to the comment endpoint
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Extract sensitive data from the database
        Bypass authentication mechanisms
        Modify or delete database content
    
    Proof of Concept #
    
    POST /geeklog-2.2.1/public_html/comment.php HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    uid=2+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/
    
    Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.
    
    
    Solution #
    
    Upgrade to a patched version of Geeklog that includes proper input sanitization and parameterized queries.
    
    
    References #
    
        Invicti Advisory NS-20-002
    
    Timeline:
    
        [2020-01-01] - Discovered
    
    Credits: Omar Kurt