exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Exponent CMS 2.3.9 Blind SQL Injection

Exponent CMS 2.3.9 Blind SQL Injection
Posted Sep 20, 2016
Authored by Manuel Garcia Cardenas

Exponent CMS versions 2.3.9 and below suffer from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2016-7400
SHA-256 | 3e237ec6c00af59c1ddbf878a77aa82dabfd991c656a7c28bd3a59c7ae1da0ed

Exponent CMS 2.3.9 Blind SQL Injection

Change Mirror Download
=============================================
MGC ALERT 2016-005
- Original release date: September 09, 2016
- Last revised: September 20, 2016
- Discovered by: Manuel GarcAa CA!rdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2016-7400
=============================================

I. VULNERABILITY
-------------------------
Blind SQL Injection in Exponent CMS <= v2.3.9

II. BACKGROUND
-------------------------
Exponent CMS is a free, open source, open standards modular enterprise
software framework and content management system (CMS) written in the
programming language PHP.

III. DESCRIPTION
-------------------------
This bug was found using the portal in the index.php page.

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code in the "index.php" page
"/exponent/index.php".

IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from Blind SQL
injection and Time Based SQL Injection.

Blind SQL Injection POC:

/exponent/index.php'%20or%201%3d1--%20

/exponent/index.php'%20or%201%3d2--%20

Time Based SQL Injection POC:

/exponent/index.php'%20OR%20SLEEP(1)--%20 (2 seconds of response)

/exponent/index.php'%20OR%20SLEEP(30)--%20 (30 seconds of response)

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Exponent CMS <= v2.3.9

VII. SOLUTION
-------------------------
Vendor fix the vulnerability:
http://www.exponentcms.org/news/updated-patches-released-for-v2-1-4-and-v2-2-3-1473726129-0.50310400

VIII. REFERENCES
-------------------------
http://www.exponentcms.org/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
September 09, 2016 1: Initial release
September 20, 2016 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
September 09, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
September 09, 2016 2: Send to vendor
September 12, 2016 3: Vendor fix vulnerability
September 20, 2016 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close