header-logo
Suggest Exploit
vendor:
Zenario CMS
by:
Balaji Ayyasamy
9.1
CVSS
CRITICAL
Blind SQL Injection
89
CWE
Product Name: Zenario CMS
Affected Version From: 8.8.53370
Affected Version To: 8.8.53370
Patch Exists: YES
Related CWE: CVE-2021-26830
CPE: a:zenar.io:zenario:8.8.53370
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14
2021

Zenario CMS 8.8.53370 – ‘id’ Blind SQL Injection

A Blind SQL Injection vulnerability was discovered in Zenario CMS 8.8.53370. An attacker can exploit this vulnerability by sending a malicious request to the server and using the 'id' parameter to inject malicious SQL code. This can be done by using the sqlmap tool to send a malicious request to the server.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update to the latest version of Zenario CMS.
Source

Exploit-DB raw data:

# Exploit Title: Zenario CMS 8.8.53370 - 'id' Blind SQL Injection 
# Date: 05/02/2021
# Exploit Author: Balaji Ayyasamy
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.53370
# Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14
# CVE: CVE-2021-26830
# Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d

Step 1 - Login to the zenario cms with admin credentials.
Step 2 - Go to modules and select plugin library.
Step 3 - Select any plugin and press delete button. Copy the delete request and send it to the sqlmap.

Command - sqlmap -r request.txt -p id

Navigation

Suggest Exploit

Services By CQR