SQL Injection in Bo-blog Wind CMS [CVE-2019-7587]

Intro 

I am c3t. I detect SQL Injection vulnerability in Bo-blog Wind CMS. (https://github.com/bo-blog/bw). Attacker can dump database.

CVE-2019-7587, CVSS Score 7.5 High severity

Full disclosure

Entrypoint: http://example.com/bw/admin.php/comments/batchdel/?ajax=1&CSRFCode=1b22e2f1

Vulnerable parameter (in post request) : comID

Description

For PoC, I use query: SELECT(SLEEP(5))

Http request:

The response:

with SELECT(SLEEP(0))

and with SELECT(SLEEP(10))

Source code analysis

line 977, in /mode/admin.mode.php


Web application receive data from client by comID parameter in HTTP request, then call function delBlockedBatch with comIDList parameter.

Function delBlockedBatch:

Function dbExec:

Result: Attacker can inject to comID paramater and execute arbitrary SQL commands.

Advertisements

One thought on “SQL Injection in Bo-blog Wind CMS [CVE-2019-7587]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s