Tutorialms 1.4 - 'show' SQL Injection

EDB-ID:

17123

CVE:





Platform:

PHP

Date:

2011-04-05


#################################################################################
#                                                                               #
#          TutorialMS v1.4 (show) Remote SQL Injection Vulnerability            #
#                                                                               #
#################################################################################
.                                                                               .
---------------------------------------------------------------------------------
|                                                                               |
| Vendor: TutorialMS.com                                                        |
| Product web page: http://www.tutorialms.com                                   |
| Affected version: 1.4                                                         |
|                                                                               |
| Summary: TutorialMS is a free content management system,                      |
| developed specifically for tutorial pages. It is written                      |
| in PHP and uses MySQL as a database. TutorialMS offers all                    |
| the usual features you need to build quick and easy your                      |
| own tutorial page, without great programming knowledge.                       |
|                                                                               |
| Desc: Input passed via the 'show' parameter to  the                           |
| 'includes/classes/tutorial.php' script is not properly                        |
| sanitised before being used in a SQL query. This can be                       |
| exploited to manipulate SQL queries by injecting arbitrary                    |
| SQL code.                                                                     |
|                                                                               |
| Tested on : Microsoft Windows XP Professional SP3 (EN)                        |
|             Apache 2.2.14 (Win32)                                             |
|             PHP 5.3.1                                                         |
|             MySQL 5.1.41                                                      |
|                                                                               |
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                         |
|                                                                               |
|                                                                               |
| Advisory ID: ZSL-2011-5007                                                    |
| Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5007.php  |
|                                                                               |
|                                                                               |
| 04.04.2011                                                                    |
|                                                                               |
|                                                                               |
---------------------------------------------------------------------------------


`````````````````````````````````````````````````````````````````````````````````
` PoC: ``````````````````````````````````````````````````````````````````````````
`      ``````````````````````````````````````````````````````````````````````````
``````````[*] http://192.168.10.64/tutorialms/tutorials.php?show=15 [SQLi]```````
`````````````````````````````````````````````````````````````````````````````````
`````````````````````````````````````````````````````````````````````````````````
`````````````````````````````````````````````````````````````````````````````````

 

                                                                  -o  
                                                                o   `o
                                                                '     
                                                                \_Q_/
                                                                  I
                                                                 /T\   
                                                                 \|/    
                                                             ____=0=____