CVE-2021-26599
published 2022-03-28CVE-2021-26599: ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.42%
97.0th percentile
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| impresscms | impresscms | < 1.4.4 | 1.4.4 |
| impresscms | impresscms | >= 0 < 1.4.3 | 1.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQL injection attempts against include/findusers.php via POST parameter groups[] containing SQL metacharacters or SLEEP/PREPARE/EXECUTE patterns ↗
- →Alert on POST requests to modules/system/admin.php with fct=autotasks and op=addautotasks, indicating malicious autotask creation for RCE ↗
- →Detect HTTP requests to ImpressCMS root URL carrying a custom CMD header containing base64-encoded OS commands, used for post-exploitation shell interaction ↗
- →Monitor for time-based blind SQL injection via SLEEP() in groups[] POST parameter to include/findusers.php; responses delayed >=2 seconds indicate exploitation ↗
- →Detect uname=egix login attempts following SQL injection, as the exploit inserts a hardcoded admin user named 'egix' with md5('egix') as password ↗
- →Nuclei/scanner fingerprint: HTTP 200 response to ImpressCMS endpoint containing body string 'array(1) {' indicates a vulnerable version ↗
- →Detect passthru() or base64_decode() injected into ImpressCMS autotask code fields (sat_code parameter), indicating webshell implantation ↗
- ·The exploit chains CVE-2021-26598 (token disclosure via misc.php) with CVE-2021-26599 (SQL injection via findusers.php groups[]); both CVEs must be present for full RCE chain to succeed ↗
- ·The SQL injection payload uses MySQL-specific PREPARE/EXECUTE and SLEEP() constructs; detection rules should be scoped to MySQL-backed ImpressCMS deployments ↗
- ·The exploit inserts a rogue admin user (level=5, groupid=1) directly into the database; post-exploitation forensics should audit users and groups_users_link tables for unexpected entries ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL Injection in ImpressCMS
ghsa·2022-03-29
CVE-2021-26599 [CRITICAL] CWE-89 SQL Injection in ImpressCMS
SQL Injection in ImpressCMS
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
OSV
SQL Injection in ImpressCMS
osv·2022-03-29
CVE-2021-26599 [CRITICAL] SQL Injection in ImpressCMS
SQL Injection in ImpressCMS
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
No detection rules found.
Exploit-DB
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
exploitdb·2022-03-30·CVSS 9.8
CVE-2021-26599 [CRITICAL] ImpressCMS 1.4.2 - Remote Code Execution (RCE)
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
---
# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE)
# Exploit Author: Egidio Romano aka EgiX
# Date: 30/03/2022
# Version: ";
print "\nExample.: php $argv[0] http://localhost/impresscms/";
print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n";
die();
}
$url = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
print "\n[+] Retrieving security token (CVE-2021-26598)\n";
curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend");
$res = curl_exec($ch);
if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");
if (!preg_match("/TOKEN_REQUEST'
Nuclei
ImpressCMS < 1.4.3 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-26599 [CRITICAL] ImpressCMS < 1.4.3 - SQL Injection
ImpressCMS =7
- status_code==200
- contains(body, "array(1) {")
condition: and
# digest: 4a0a0047304502200716b3fd5c12caf7a5ff79b1eb7f768a9a4b3410a4e74dfd1610bbe6b60764be022100b82d378d80ae1aa2d84a173afbd1e3ca976639165e5b8cf41421d525ab912f5a:922c64590222798bb761d5b6d8e72950
http://karmainsecurity.com/KIS-2022-04http://packetstormsecurity.com/files/166404/ImpressCMS-1.4.2-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2022/Mar/46https://hackerone.com/reports/1081145http://karmainsecurity.com/KIS-2022-04http://packetstormsecurity.com/files/166404/ImpressCMS-1.4.2-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2022/Mar/46https://hackerone.com/reports/1081145
2022-03-28
Published