# Exploit Title: 60CycleCMS 2.5.2 - 'news.php' SQL Injection # Google Dork: N/A # Date: 2020-03-07 # Exploit Author: Unkn0wn # Vendor Homepage: http://davidvg.com/ # Software Link: https://www.opensourcecms.com/60cyclecms # Version: 2.5.2 # Tested on: Ubuntu # CVE : N/A --------------------------------------------------------- SQL Injection vulnerability: ---------------------------- in file /common/lib.php Line 64 -73 * function getCommentsLine($title) { =09$title =3D addslashes($title); =09$query =3D "SELECT `timestamp` FROM `comments` WHERE entry_id=3D '$title= '"; =09// query MySQL server =09$result=3Dmysql_query($query) or die("MySQL Query fail: $query");=09 =09$numComments =3D mysql_num_rows($result); =09$encTitle =3D urlencode($title); =09return '<a href=3D"post.php?post=3D' . $encTitle . '#comments" >' . $num= Comments . ' comments</a>';=09 } lib.php line 44: * =09$query =3D "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `en= try_id` =3D'$title' ORDER BY `timestamp` ASC"; * * news.php line 3: * require 'common/lib.php'; *=20 Then in line 15 return query us: * $query =3D "SELECT MAX(`timestamp`) FROM `entries * http://127.0.0.1/news.php?title=3D$postName[SQL Injection] ---------------------------- Cross Site-Scripting vulnerability: File news.php in line: 136-138 : * $ltsu =3D $_GET["ltsu"]; $etsu =3D $_GET["etsu"]; $post =3D $_GET["post"]; * get payload us and printEnerty.php file in line 26-27: * <? echo '<a class=3D"navLink" href=3D"index.php?etsu=3D' . $etsu . '">Older= ></a>'; <? echo '<a class=3D"navLink" href=3D"index.php?ltsu=3D' . 0 . '">Oldest &g= t;>|</a>';=20 * print it for us! http://127.0.0.1/index.php?etsu=3D[XSS Payloads] http://127.0.0.1/index.php?ltsu=3D[XSS Payloads] ---------------------------------------------------------- # @ 2010 - 2020 # Underground Researcher