Thursday 26 April 2012
[EN] Concrete 5.5.2.1 CMS - SQL Injection
[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
SQL Injection.
[--------------------------------------------[
[ 3. Where is bug :)
Vulnerable parameter is fID. For example (from mysqls logs):
60832 Query insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0)
FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1
WHERE Files.fID = '1 waitfor delay \'0:0:10\'--'
FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio
Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats).
Enjoy but I saw that this parameter is available only for admin, so... ;> .
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
What do You think...?