Recently I have found out SQL injection in the Zenario CMS.
Title of the Vulnerability: Blind SQL Injection
Vulnerability Class: SQL Injection
Technical Details & Description: In the plugin library module, Plugin deletion request is sent using the ajax.php page which is vulnerable to the Blind SQLi.
Parameter: id (POST)
Product: Zenario 8.8.52729
Steps:
- Login to the Zenario CMS using admin credentials.
2. After successful login go to the top left corner and click on the down arrow and then go to the modules and select the Plugin Library.
3. Now select any plugin and we can see the delete button at the top.
4. Press the delete button and capture the request in the burp suite.
5. Now add the ‘ in the id parameter and send the request. Server responds with the SQL error.
6. Now copy the request to the text file and pass it to the sqlmap. Boom!! SQL Injection
Reported Date: 05–02–2021
Fixed Date: 08–02–2021
Fixed Version: Zenario 8.8.53370
Reference: https://github.com/TribalSystems/Zenario/releases
CVE: CVE-2021–26830
Exploit Author: Balaji Ayyasamy (Zacco Cyber Security Research Labs)