Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)

vendor:

Zenario

by:

Avinash R

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Zenario

Affected Version From: 8.8.52729

Affected Version To: 8.8.52729

Patch Exists: YES

Related CWE: CVE-2021–27673

CPE: a:zenar.io:zenario:8.8.52729

Metasploit: N/A

Platforms Tested: Windows 10 Pro

2021

Zenario CMS 8.8.52729 – ‘cID’ Blind & Error based SQL injection (Authenticated)

Login to the admin page of Zenario CMS with admin credentials, which is http://server_ip/zenario/admin.php. Click on, New → HTML page to create a new sample page and intercept it with your interceptor. Just a single quote on the 'cID' parameter will confirm the SQL injection. After confirming that the 'cID' parameter is vulnerable to SQL injection, feeding the request to SQLMAP will do the rest of the work for you.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
# Date: 05–02–2021
# Exploit Author: Avinash R
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.52729
# Tested on: Windows 10 Pro (No OS restrictions)
# CVE : CVE-2021–27673
# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38

##### Step To Reproduce #####

1) Login to the admin page of Zenario CMS with admin credentials, which is
http://server_ip/zenario/admin.php

2) Click on, New → HTML page to create a new sample page and intercept it
with your interceptor.

3) Just a single quote on the 'cID' parameter will confirm the SQL
injection.

4) After confirming that the 'cID' parameter is vulnerable to SQL
injection, feeding the request to SQLMAP will do the rest of the work for
you.

############ End ############