Jun 1, 2012

Simple Web Content Management System SQL Injection

If you want all vulnerability of this post, please go to the Source.

######################################################################################
# Exploit Title: Simple Web Content Management System SQL Injection
# Date: May 30th 2012
# Author: loneferret
# Version: 1.1
# Application Url: http://www.cms-center.com/
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
######################################################################################
# Discovered by: loneferret
######################################################################################

# Side note:
# This application is nothing fancy, and really shouldn't be used other than
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable
# parameter.

# Vulnerability:
# Due to improper input sanitization, many parameters are prone to SQL injection.
# Most of them require to be authenticated with an account (admin).
# But there are a few pages that will cause an error without having to logon.


# PoC 1:
# No Authentication Required.
# Page: /admin/item_delete.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15      $id = $_GET['id'];
16      $title = NULL;
17      $text = NULL;
18      database_connect();
19      $query = "select title,text from content where id = $id;";
20      //echo $query;
21      $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.



# PoC 2:
# No Authentication Required.
# Page: /admin/item_status.php?id=[SQLi]&status=1
# Page: /admin/item_status.php?id=1&status=[SQLi]
# Vulnerable Parameter: id & status
# Code:
10    $ref = $_GET['ref'];
11    $id = $_GET['id'];
12    $status = $_GET['status'];
13    $update = "UPDATE content
14            SET status='$status'
15            WHERE id='$id'";
16    $query = mysql_query($update)
        or die("Their was a problem updating the status: ". mysql_error());

# As stated, nothing is checked before passing "id" and/or "status" to MySql.
# This results in a MySql error.


Source: http://www.exploit-id.com/web-applications/simple-web-content-management-system-1-1-multiple-sql-injection

If you like my blog, Please Donate Me

6 comments:

Angelo Abbott said...

Tools you are using are good and nice keep going content management | web design

Sumate jitpukdebodin said...

Thanks

David bone said...

Hi, nice post. I have been wondering about this topic, so thanks for sharing. I will certainly be subscribing to your blog.Content management system

Sumate jitpukdebodin said...

Thanks for your subscribing.

Abella Ivan said...

These are absolutely amazing! can't wait to see more Sumate jitpukdebodin.

Abella Ivan said...

I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! Cayos Cochinos

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |