delta/pragyan

Authenticated SQL-Injection

Opened this issue · 0 comments

haxxor1338 commented

In the file cms/modules/article.lib.php some user-input is not validated correctly, which allows for an authenticated SQL-Injection (more info here: https://www.owasp.org/index.php/SQL_Injection ). To exploit this, a user has to have the right to view "drafts", which by default only seems to be the case for the admin user. This allows for access to the SQL-database by any user that is logged into the CMS as admin.

The line in question:

pragyan/cms/modules/article.lib.php

Line 386 in a701f91

$diffquery = "SELECT * FROM `article_draft` WHERE `page_modulecomponentid`= '$this->moduleComponentId' AND draft_number >= '$draftNo' ORDER BY draft_number DESC";
- the function parameter ($draftNo) comes from a user-supplied GET-parameter and is not filtered at all.

To reproduce this, create two versions of a draft of some araticle and run sql-map on a local version of the CMS like so:
python sqlmap.py -u "http://localhost/pragyan/home/how_to_use/+edit&dversion=2*" --cookie='cookie_support=enabled; PHPSESSID=qece7ieb5fnqc9h5p3rb87q0h2'
where the cookie parameter must be replaced by a valid cookie of the admin user for this to work.

Here is a screenshot of it: https://i.imgur.com/ycCCuxu.png

This could be fixed by e.g. surrounding the parameter with a call to mysql_real_escape_string, i.e. $draftNo = mysql_real_escape_string($draftNo).