202CMS Blind SQL Injection Vulnerability

A blind SQL injection vulnerability has been identified in 202CMS version 10 beta. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'log_user' parameter. Exploitation involves sending POST requests to 'index.php' with crafted SQL payloads that utilize time-based blind injection techniques, enabling the extraction of sensitive database information.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can manipulate database queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'index.php' with a payload that includes a SQL injection in the 'log_user' parameter. The payload should be crafted to exploit the application's SQL query handling, using time-based techniques to extract data. This vulnerability can also be reproduced by injecting SQL payloads through the 'reg_user' and 'reg_mail' parameters on the 'register.php' page, following a similar injection pattern.