Pligg CMS 2.0.2 SQL injection

vendor:

Pligg CMS

by:

jsass

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Pligg CMS

Affected Version From: 2.0.2

Affected Version To: 2.0.2

Patch Exists: NO

Related CWE: N/A

CPE: a:pligg:pligg_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Sana 2.0

2015

Pligg CMS 2.0.2 SQL injection

Pligg CMS 2.0.2 is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'sql' in the 'load_data_for_search.php' file. This can be done by sending a crafted HTTP request to the vulnerable parameter. An attacker can use SQLmap to exploit this vulnerability.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Pligg CMS 2.0.2 SQL injection
# Date: 29-08-2015
# Exploit Author: jsass
# Vendor Homepage: http://pligg.com
# Software Link: https://github.com/Pligg/pligg-cms/archive/2.0.2.zip
# Version: 2.0.2
# Tested on: kali sana 2.0

################ Q8 Gray Hat Team ################



SQLInjection

File : load_data_for_search.php


 $search = new Search();
	
	if(isset($_REQUEST['start_up']) and $_REQUEST['start_up']!= '' and $_REQUEST['pagesize'] != ''){
		
		$pagesize = $_REQUEST['pagesize'];
		$start_up = $_REQUEST['start_up'];
		$limit = " LIMIT $start_up, $pagesize";	
	}
	if(isset($_REQUEST['sql']) and $_REQUEST['sql']!= ''){
		$sql = $_REQUEST['sql'];
		$search->sql = $sql.$limit;
	}
	
	$fetch_link_summary = true;
	$linksum_sql = $sql.$limit;

Exploit : http://localhost/pligg-cms-master/load_data_for_search.php?sql={SQLi}

Type Injection : Boolean & Time Based 

Use SQLmap To Inject ..

Demo : http://www.pligg.science/load_data_for_search.php?sql={SQLi}


################ Q8 Gray Hat Team ################

Great's To : sec4ever.com && alm3refh.com