AutoCMS v5.4 suffers from a SQL Injection vulnerability that can be exploited by an attacker with administrative privileges to execute arbitrary SQLite statements.
Details
The vulnerability is present in the sidebar parameter of the /admin/robot.php endpoint. An attacker with administrative privileges can leverage this issue to execute arbitrary SQLite statements on the database.
The following URL demonstrates the vulnerability by outputting the SQLite version:
http://target-ip/admin/robot.php?edit=default&sidebar=-1' AND 1=2 UNION SELECT 1758999520,2,sqlite_version(),4,5 --
When this URL is accessed, the SQL injection payload is executed, and the server returns a page that includes the SQLite version information. The payload uses the UNION SELECT statement to retrieve the version, and the -- at the end comments out the rest of the original query, allowing the injected code to execute successfully.
POC
http://target-ip/admin/robot.php?edit=default&sidebar=-1' AND 1=2 UNION SELECT 1758999520,2,sqlite_version(),4,5 --
Hebing123
commented
2 months ago
Summary
AutoCMS v5.4 suffers from a SQL Injection vulnerability that can be exploited by an attacker with administrative privileges to execute arbitrary SQLite statements.
Details
The vulnerability is present in the
sidebarparameter of the/admin/robot.phpendpoint. An attacker with administrative privileges can leverage this issue to execute arbitrary SQLite statements on the database. The following URL demonstrates the vulnerability by outputting the SQLite version:http://target-ip/admin/robot.php?edit=default&sidebar=-1' AND 1=2 UNION SELECT 1758999520,2,sqlite_version(),4,5 --When this URL is accessed, the SQL injection payload is executed, and the server returns a page that includes the SQLite version information. The payload uses the UNION SELECT statement to retrieve the version, and the -- at the end comments out the rest of the original query, allowing the injected code to execute successfully.POC
http://target-ip/admin/robot.php?edit=default&sidebar=-1' AND 1=2 UNION SELECT 1758999520,2,sqlite_version(),4,5 --