[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: CMS Core SQL injection
From: foster GHC <foster () ghc ! ru>
Date: 2005-02-09 14:15:47
Message-ID: 20050209141547.28518.qmail () www ! securityfocus ! com
[Download RAW message or body]
// GHC -> CMS CORE <- ADVISORY
// Product: CMS Core
// URL: http://chipmunk-scripts.com/scripts/cmscore.php
// VULNERABILITY CLASS: SQL injection
/*==========================================*/
[1] script name: index.php
---[code]---
$EntryID=$_GET['EntryID'];
...
$article="SELECT * FROM CMS_articles where EntryID='$EntryID'";
---[/code]---
Possible SQL injection http://CMScore/index.php?EntryID=[SQL code]
[2] script name: index.php
---[code]---
$searchterm=$_POST[searchterm];
...
$newselect="Select * FROM CMS_articles where title LIKE %$searchterm% OR shortdescription
LIKE %$searchterm% OR body LIKE %$searchterm% order by EntryID DESC LIMIT $start,
$numentries";
---[/code]---
Possible SQL injection through $searchterm variable in Search form.
[3] script name: admin/authenticate.php
---[code]---
$username=$_POST['username'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from CMS_logintable where username='$username' and password='$password'";
$result=mysql_query($query) or die("Could not Query");
---[/code]---
Possible SQL injection through $username variable.
[exploit]
Log in with username
Administrator'/*
from admin/index.php page.
[note]
"Administrator" must be a valid user name.
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru, D0G4 */
/* & all quest hunters %) */
/* ================================================== */
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic