[+] Exploit title: Small-CMS 1.0 - SQL injection/Authentication Bypass
[+] Date: 2/10/2012
[+] Author: Phizo
[+] Vendor: http://www.small-cms.com/
[+] Version: 1.0
[+] Category: webapps
[+] Google dork: intitle:"Find it yourself."
[+] Tested on: Windows 7 | Firefox 15.0.1



=================================
default.class.php ~ lines 220-230
=================================

    function checkCredentials($username, $password){     
        $obscure = $this->obscure($password);                
        $query = "SELECT * FROM ".$this->prefix_db."users WHERE user_name = '$username' AND user_pass = '$obscure' AND user_active = '1' LIMIT 1;";
            $result = mysql_query($query) or die(mysql_error());
        $row = mysql_fetch_array($result);        
        if ($row) {
            return true;
        } else {
            return false;
        }
    }


=================================
default.class.php ~ lines 260-275
=================================

    function setSession($username,$password,$cookie){
    
            $query = "SELECT id FROM ".$this->prefix_db."users WHERE user_name = '$username' AND user_pass = '$password' AND user_active = '1' LIMIT 1;";
            $result = mysql_query($query) or die(mysql_error());
            $row = mysql_fetch_array($result);
            
                    
        $values = array($username,$this->obscure($password),$row['id']);
        $session = implode(",",$values);
        if($cookie=='on'){
            //cookies
            setcookie("$this->session_name", $session, time()+60*60*24*100,'/');
        } else {
            $_SESSION["$this->session_name"] = $session;
        }
    }


=======================
login.php ~ lines 27-33
=======================

if ($login->checkCredentials($_POST['username'], $_POST['password'])){
        $login->setSession($_POST['username'],$_POST['password'],$_POST['cookie']);
        $login->redirect('index.php?page=admincp');
        } else {
        $error = '';  
        }
}