On Tue, Nov 1, 2016 at 5:05 PM, Brandon Perry <[email protected]> wrote: > >> On Oct 31, 2016, at 2:41 PM, Elar Lang <[email protected]> wrote: >> >> Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) >> Credit: Elar Lang / https://security.elarlang.eu >> Vendor/Product: dotCMS (http://dotcms.com/) >> Vulnerability: SQL injection >> Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) >> CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, >> CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 >> >> >> # Multiple SQL injections in dotCMS framework. >> >> >> ## CVE-2016-8902 - categoriesServlet, sort >> > > I am having trouble reproducing this one on 3.3 and 3.2.4. As an > unauthenticated user on a clean install of dotCMS, I perform this request. > > GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1 > Host: 10.211.55.37:8080 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) > Gecko/20100101 Firefox/49.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; > JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F > Accept-Encoding: gzip, deflate > Connection: keep-alive > Upgrade-Insecure-Requests: 1 > > > In you blog post, you note JSON is supposed to be returned, but that doesn’t > happen. The response I get is a simple 200. > > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/ > SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/ > Cache-Control: public, no-store, no-cache, max-age=0 > Pragma: no-cache > Expires: Tue, 01 Nov 2016 14:55:34 GMT > Content-Type: text/plain;charset=utf-8 > Content-Length: 0 > Date: Tue, 01 Nov 2016 14:55:34 GMT > > > What versions exactly did you test against to reproduce this and what was the > setup? > > I am also curious why a UNION doesn’t work (mentioned in blog post) if you > dug into that. > > Thanks! > > Public response also:
#1 I tested it during one pen-test case in December 2015. Exact version was 3.2.1. I haven't set up this environment myself. At the moment I used "Google Hacking" to find some dotCMS. Use search phrase inurl:/html/portal/login.jsp From login page you can see, what is the current version on this site, change path to /categoriesServlet and you probably can see the output like I described in my blog post. I saw described output from different versions, like 2.5.4, 3.2.1, 3.5, 3.6. From one site I also got an error - so, maybe there are some other pre-conditions which I don't know. If you can figure it out, share it with others also. #2 You can not use UNION after ORDER BY statement, this is the way how SQL works. And if you have vulnerability in order by or sort parameter, then your entrypoint is after ORDER BY statement Elar _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
