EZCMS <= 1.2 (bSQL/Admin Byapss) Multiple Remote Vulnerabilities

2008-06-14T00:00:00
ID 1337DAY-ID-3185
Type zdt
Reporter t0pP8uZz
Modified 2008-06-14T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================================
EZCMS <= 1.2 (bSQL/Admin Byapss) Multiple Remote Vulnerabilities
================================================================




-[*]+================================================================================+[*]-
-[*]+		       EZCMS <= 1.2 Multiple Remote Vulnerabilitys	             +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 MAY 2008
[*] Script Download: http://eztechhelp.com
[*] DORK google/altavista: "Powered by EZCMS"



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION: 

	EZCMS (all versions prior to date) suffers from 2 remote vulnerabilitys.
	
	One of these being a BLIND Sql Injection in "index.php" and the "page" variable is injectable.
	see example below.

	The second one being a insecure filemanager, the filemanager is hidden away in admin, the devs
	probarly thought no one would find it.. but here i am telling you  ;)  
	see more below.



[*] Blind SQL Injection:

	http://site.com/index.php?page=1 and 1=1
	http://site.com/index.php?page=1 and 1=2



[*] Arbitrary Remote File Manager Access:

	http://site.com/ezcms/admin/filemanager/



[*] NOTE/TIP: 

	no exploit coded for the blind injection, because no point due to you can get a easy shell
	through the file manager, althou if your curious, use SQLMap. (check sourceforge)

	the "File Manager" is a very easy to use bug, just browse to site.com/ezcms/admin/filemanager/
	site.com being the actual site and you can upload/edit/delete/upload/move  files/folders.




#  0day.today [2018-03-01]  #