ezcms-bypass.txt

2008-06-16T00:00:00
ID PACKETSTORM:67353
Type packetstorm
Reporter t0pp8uzz
Modified 2008-06-16T00:00:00

Description

                                        
                                            `-[*]+================================================================================+[*]-  
-[*]+ EZCMS <= 1.2 Multiple Remote Vulnerabilitys +[*]-  
-[*]+================================================================================+[*]-  
  
  
  
[*] Discovered By: t0pP8uZz  
[*] Discovered On: 19 MAY 2008  
[*] Script Download: http://eztechhelp.com  
[*] DORK google/altavista: "Powered by EZCMS"  
  
  
  
[*] Vendor Has Not Been Notified!  
  
  
  
[*] DESCRIPTION:   
  
EZCMS (all versions prior to date) suffers from 2 remote vulnerabilitys.  
  
One of these being a BLIND Sql Injection in "index.php" and the "page" variable is injectable.  
see example below.  
  
The second one being a insecure filemanager, the filemanager is hidden away in admin, the devs  
probarly thought no one would find it.. but here i am telling you ;)   
see more below.  
  
  
  
[*] Blind SQL Injection:  
  
http://site.com/index.php?page=1 and 1=1  
http://site.com/index.php?page=1 and 1=2  
  
  
  
[*] Arbitrary Remote File Manager Access:  
  
http://site.com/ezcms/admin/filemanager/  
  
  
  
[*] NOTE/TIP:   
  
no exploit coded for the blind injection, because no point due to you can get a easy shell  
through the file manager, althou if your curious, use SQLMap. (check sourceforge)  
  
the "File Manager" is a very easy to use bug, just browse to site.com/ezcms/admin/filemanager/  
site.com being the actual site and you can upload/edit/delete/upload/move files/folders.  
  
  
  
[*] GREETZ:   
  
milw0rm.com, h4ck-y0u.org, CipherCrew !  
  
  
  
[-] peace,   
  
t0pP8uZz  
  
  
  
-[*]+================================================================================+[*]-  
-[*]+ EZCMS <= 1.2 Multiple Remote Vulnerabilitys +[*]-  
-[*]+================================================================================+[*]-  
  
  
  
`