Share
## https://sploitus.com/exploit?id=PACKETSTORM:214775
glFusion 1.3.0 - Blind SQL Injection
    Advisory ID: RO-13-001
    Severity: Critical
    Vendor: glFusion
    Product: glFusion CMS
    Version: 1.3.0
    
    
    Overview #
    
    A critical Blind SQL Injection vulnerability exists in glFusion CMS version 1.3.0, affecting the Media Gallery search functionality. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database.
    
    
    Vulnerability Details #
    
    Affected Versions: 1.3.0 and earlier
    
    Location: /mediagallery/search.php
    
    Affected Parameter: cat_id
    
    Root Cause: The vulnerability exists due to insufficient input validation on the cat_id parameter. User-supplied input is directly concatenated into an SQL query without proper sanitization or parameterized queries, allowing attackers to inject malicious SQL statements.
    
    
    Exploitation Requirements #
    
        No authentication required
        Media Gallery module must be enabled
        Direct access to the search endpoint
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Extract sensitive data from the database (usernames, passwords, emails)
        Bypass authentication mechanisms
        Modify or delete database content
        Potentially gain administrative access to the CMS
    
    Proof of Concept #
    
    POST /mediagallery/search.php HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    cat_id='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
    
    Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.
    
    
    Solution #
    
    Upgrade to glFusion version 1.3.1 or later, which includes proper input sanitization for the affected parameter.
    
    
    References #
    
        Invicti Advisory NS-13-009
        Exploit-DB 28185
        Vendor Patch
    
    Timeline:
    
        [2013-09-05] - First contact
        [2013-09-06] - Fix released
        [2013-09-09] - Advisory released
    
    Credits: Omar Kurt