Exploits / Vulnerability Discovered : 2022-03-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Impresscms 1.4.2 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.impresscms.org
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
User input passed through the "groups" POST parameter to the /include/findusers.php script is not
properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and
icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to
construct a SQL query without proper validation, and this can be exploited by remote attackers
to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection
attacks. The application uses PDO as a database driver, which allows for stacked SQL queries,
as such this vulnerability could be exploited to e.g. create a new admin user and execute
arbitrary PHP code.
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-26599 to this vulnerability.
[-] Disclosure timeline:
[19/01/2021] - Vendor notified through HackerOne
[29/01/2021] - Vulnerability acknowledged by the vendor
[03/02/2021] - CVE number assigned
[06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed
[11/02/2022] - Vendor was informed about the ineffective fix
[09/03/2022] - Version 1.4.4 released
[22/03/2022] - Public disclosure
if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");
if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n");
$sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'";
$min = true;
$idx = 1;