exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ezContents CMS 2.0.3 Bypass / SQL Injection

ezContents CMS 2.0.3 Bypass / SQL Injection
Posted Jan 20, 2010
Authored by AmnPardaz Security Research Team | Site bugreport.ir

ezContents CMS versions 2.0.3 and below suffer from bypass and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | d199e4b6182bf67f4281677eb5f84cdd498291c9c4dc8b15050808b11813c98a

ezContents CMS 2.0.3 Bypass / SQL Injection

Change Mirror Download
##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title: ezContents CMS Multiple Vulnerabilities
# Vendor: http://ezcontents.org/
# Vulnerable Version: 2.0.3 (and prior versions)
# Exploitation: Remote with browser
# Fix: N/A
###################################################################################

####################
- Description:
####################

ezContents is a nice PHP CMS which allow management of dynamic
contents and web publishing.

####################
- Vulnerability:
####################

+--> SQL Injection
Most of GET and POST parameters are not sanitized before being used in
SQL query.

Vulnerable Pages/Affected Parameters:
- 'admin/adminlogin.php'/'login'
- 'bannerclick.php'/'id'
- 'comments.php'/'article'
- 'control.php'/'topgroupname' and 'groupname'
- 'headeruserdata.php'/'topgroupname' and 'groupname'
- 'login.php'/'subgroupname' and 'groupname' and 'topgroupname' and 'login'
- 'menu.php'/'groupname' and 'topgroupname'
- 'module.php'/'topgroupname' and 'groupname'
- 'modules/diary/m_diaryform.php'/'DiaryID'
- 'modules/diary/showdiary.php'/'month' and 'year'
- 'modules/diary/showdiarydetail.php'/'diaryid'
- 'modules/gallery/m_galleryform.php'/'galleryID'
- 'modules/gallery/showgallerydetails.php'/'galleryid'
- 'modules/links/m_linksform.php'/'GuestbookID'
- 'modules/guestbook/m_guestbookform.php'/'LinkID'
- 'modules/modfunctions.php'/'topgroupname'
- 'modules/news/m_news.php'/'NewsID'
- 'modules/news/shownewsdetails.php'/'newsid'
- 'modules/poll/m_pollform.php'/'PollID'
- 'modules/poll/m_polloptiondel.php'/'PollOptionID'
- 'modules/poll/m_polloptions.php'/'PollID'
- 'modules/poll/m_polloptionsform.php'/'PollOptionID'
- 'modules/reviews/m_reviewsform.php'/'reviewsID'
- 'modules/reviews/showreviewdetails.php'/'reviewsid'
- 'printer.php'/'article'
- 'rateit.php'/'article'
- 'selectsite.php'/'Site'
- 'selecttheme.php'/'Theme'
- 'showcontents.php'/'groupname' and 'subgroupname' and 'topgroupname'
- 'showdetails.php'/'contentname'
- 'userinfo.php'/'topgroupname'

+--> Authentication Bypass
Authentication Bypass in 'comments.php'. No check for login performed.


####################
- Exploits/PoCs:
####################

The admin password can be extracted using timing attack.
The general SQL Injection vector for exploiting login page
is:
admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1
In the above vector @Condition can be replaced with any boolean
experation and in case of true value page will have a sensible wait
before starting transfer phase.
For extracting password, we first find the length of password
using 'length(userpassword)>**' as @Condition and binary search on
** pass length.
Then we can find i-th character of the password using
"substring(userpassword,i,1) > '*'" as @Condition and binary search
on the * as characters.

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_65.htm

####################
- Credit:
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close