Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Exponent CMS 2.4.1 SQL Injection

Related Vulnerabilities: CVE-2017-7991  
Publish Date: 21 Apr 2017
Author: 404 Not Found
Source 
                							

                CVE-2017-7991-SQL injection-Exponent CMS

[Suggested description]
Exponent CMS 2.4.1 and earlier has SQL injection  via a base64
serialized API key (apikey parameter) in the api function  of
framework/modules/eaas/controllers/eaasController.php.
 
------------------------------------------

[Additional  Information]
Vulnerable file is:  /framework/modules/eaas/controllers/eaasController.php
Vulnerable  function is api.

public function api() {
        if  (empty($this->params['apikey'])) {
            $_REQUEST['apikey'] =  true;  // set this to force an ajax reply
            $ar = new  expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access  Exponent as a Service', null);
            $ar->send();  //FIXME this  doesn't seem to work correctly in this scenario
        } else  {
            echo $this->params['apikey'];
            $key  =  expUnserialize(base64_decode(urldecode($this->params['apikey'])));
             echo $key;
            
            $cfg = new  expConfig($key);
            $this->config =  $cfg->config;
            if(empty($cfg->id))  {
                $ar = new expAjaxReply(550, 'Permission Denied',  'Incorrect API key or Exponent as a Service module configuration missing',  null);
                $ar->send();
            } else  {
                if (!empty($this->params['get']))  {
                    $this->handleRequest();
                 } else {
                    $ar = new expAjaxReply(200, 'ok', 'Your API  key is working, no data requested', null);
                     $ar->send();
                }
            }
         }
    }

We can control param $apikey by using  base64_encode and serialize
functions to encrypt the SQL injection  string. Then, the $apikey will
be decrypted and cause SQL injection.  Such as, if we want to use
"aaa\'or sleep(2)#" to inject, we should use  "echo
base64_encode(serialize($apikey));" to encrypt the Attack  string:
czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
 is the PoC. The result is: the site will sleep several seconds, and
you  can see SQL injection is successful in MySQL logs.

 ------------------------------------------

[Vulnerability  Type]
SQL Injection

 ------------------------------------------

[Vendor of  Product]
Exponent CMS

 ------------------------------------------

[Affected Product  Code Base]
Exponent CMS - 2.4.1 and earlier

 ------------------------------------------

[Affected  Component]
 \framework\modules\eaas\controllers\eaasController.php,function api(),param  $apikey

------------------------------------------
 
[Attack Type]
Remote

 ------------------------------------------

[Impact Information  Disclosure]
true

 ------------------------------------------

[Attack  Vectors]
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
 
http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
 
------------------------------------------

[Discoverer]
404notfound


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started