[EN] Concrete 5.5.2.1 CMS - SQL Injection

[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
SQL Injection.

[--------------------------------------------[
[ 3. Where is bug :)
Vulnerable parameter is fID. For example (from mysqls logs):

    60832 Query    insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0)
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1
        WHERE Files.fID = '1 waitfor delay \'0:0:10\'--'
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio

Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats).

Enjoy but I saw that this parameter is available only for admin, so... ;> .

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[