CVE-2017-5344

CRITICAL

dotcms < 3.6.1 - Unauthenticated SQL Injection via categoriesServlet q/inode Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-5344. PoCs published by Ben Nott.

AI-analyzed exploit summary This is a blind boolean SQL injection exploit for dotCMS <= 3.6.1 (CVE-2017-5344). It targets the `/categoriesServlet` endpoint with crafted payloads to exfiltrate user credentials from the database.

Description

An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ben Nott · bashwebappsphp

https://www.exploit-db.com/exploits/41377

View Code ZIP pw:eip

This is a blind boolean SQL injection exploit for dotCMS <= 3.6.1 (CVE-2017-5344). It targets the `/categoriesServlet` endpoint with crafted payloads to exfiltrate user credentials from the database.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: dotCMS <= 3.6.1

No auth needed

Prerequisites: Access to the `/categoriesServlet` endpoint · MySQL or PostgreSQL backend

MITRE ATT&CK