Document Title: =============== Schoolhos CMS v2.29 - userberita SQL injection Vulnerability Date: ===== 2016-11-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1932 VL-ID: ===== 1932 Common Vulnerability Scoring System: ==================================== 6.8 Introduction: ============= Schoolhos CMS is alternative to developing School Website. It's Free and Open Source under GPL License. Easy to install, user friendly and elegant design. (Copy of the Vendor Homepage: http://www.schoolhos.com/ & https://sourceforge.net/projects/schoolhoscms/ ) Abstract: ========= The vulnerability laboratory core research team discovered a remote sql-injection vulnerability in the official Schoolhos v2_29 content management system. Report-Timeline: ================ 2016-11-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Schoolhos Product: Schoolhos - Content Management System (Web-Application) v2016 Q3 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A remote sql injection web vulnerability has been discovered in the official Schoolhos v2_29 content management system. The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms. The sql injection vulnerability is located in the `user` parameter of the `index?p=userberita` module GET method request. Remote attackers are able to execute own sql commands by usage of an insecure GET method request through the vulnerable parameter of the own application. The attack vector of the vulnerability is application-side and the request method to inject is GET. The security vulnerability in the content management system is a classic select remote sql-injection. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8. Exploitation of the remote sql injection vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] userberita Vulnerable Parameter(s): [+] user Proof of Concept: ================= The remote sql-injection web vulnerability can be exploited by remote attackers without privileged web-application user account and without user interaction. For security demonstration or to reproduce the sql-injection web vulnerability follow the provided information and steps below to continue. PoC: Payload 999999.9%27+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C%28select+distinct+concat%280x 7e%2C0x27%2Cschema_name%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343 830303536%2C0x31303235343830303536%2C0x31303235343830303536+and+%27x%27%3D%27x PoC: Exploitation Schoolhos (userberita) - Remote SQL Injection Vulnerability