Description:
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.
Exploit:
The vulnerability is due to a non-parameterized SQL query at https://github.com/flatCore/flatCore-CMS/blob/master/core/functions/func_get_content.php#L17 and a few following lines. We assume that FlatCore is installed at http://localhost/flatcore/. The exploit URL is http://localhost/flatcore/' OR page_status='ghost' LIMIT 0,1 --. This effectively results in the following query to be executed SELECT * FROM fc_pages WHERE page_id = '' OR page_status='ghost' LIMIT 0,1 --' which allows an unauthenticated user to be able to view all ghost/invisible pages without having links to them. The exploit URL can also be possibly modified to leak the content database using UNION based SQL injection attacks.
Exploit Title: SQL Injection vulnerability (Content DB) on FlatCore v1.4.6
Date: 11-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6
Description:
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.
Exploit:
The vulnerability is due to a non-parameterized SQL query at https://github.com/flatCore/flatCore-CMS/blob/master/core/functions/func_get_content.php#L17 and a few following lines. We assume that FlatCore is installed at
http://localhost/flatcore/. The exploit URL ishttp://localhost/flatcore/' OR page_status='ghost' LIMIT 0,1 --. This effectively results in the following query to be executedSELECT * FROM fc_pages WHERE page_id = '' OR page_status='ghost' LIMIT 0,1 --'which allows an unauthenticated user to be able to view all ghost/invisible pages without having links to them. The exploit URL can also be possibly modified to leak the content database using UNION based SQL injection attacks.References:
https://www.owasp.org/index.php/SQL_Injection
Screenshots:

Viewing ghost pages
Impact: Read data from the content database
Mitigation: Use of Parameterized SQL Queries
The text was updated successfully, but these errors were encountered: