|
SQL injection bugs in
CMScore
|
<img src="http://www.ghc.ru/images/logo.jpg";>
/*==========================================*/ // GHC -> CMS CORE <- ADVISORY // Product: CMS Core // URL: http://chipmunk-scripts.com/scripts/cmscore.php // VULNERABILITY CLASS: SQL injection // RISK: hight /*==========================================*/ [1] script name: index.php ---[code]--- $EntryID=$_GET['EntryID']; ... $article="SELECT * FROM CMS_articles where EntryID='$EntryID'"; ---[/code]--- Possible SQL injection: http://CMScore/index.php?EntryID=[SQL code] [2] script name: index.php ---[code]--- $searchterm=$_POST['searchterm']; ... $newselect="Select * FROM CMS_articles where title LIKE '%$searchterm%' OR shortdescription LIKE '%$searchterm%' OR body LIKE '%$searchterm%' order by EntryID DESC LIMIT $start, $numentries"; ---[/code]--- Possible SQL injection through $searchterm variable from Search Form. [3] script name: admin/authenticate.php ---[code]--- $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); $query = "select * from CMS_logintable where username='$username' and password='$password'"; $result=mysql_query($query) or die("Could not Query"); ---[/code]--- Possible SQL injection through $username variable. [exploit] Log in with username Administrator'/* from admin/index.php page. [note] "Administrator" must be a valid user name. /* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: 1dt.w0lf & RST.void.ru, D0G4 */ /* & all quest hunters %) */ /* ================================================== */
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
![http://www.ghc.ru/images/logo.jpg"](http://www.ghc.ru/images/logo.jpg"){kind=link}