ezcms 1.2 - Blind SQL Injection / Authentication Bypass

EDB-ID:

5819

Author:

t0pP8uZz

Type:

webapps

Platform:

PHP

Published:

2008-06-14

-[*]+================================================================================+[*]-
-[*]+		       EZCMS <= 1.2 Multiple Remote Vulnerabilitys	             +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 MAY 2008
[*] Script Download: http://eztechhelp.com
[*] DORK google/altavista: "Powered by EZCMS"



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION: 

	EZCMS (all versions prior to date) suffers from 2 remote vulnerabilitys.
	
	One of these being a BLIND Sql Injection in "index.php" and the "page" variable is injectable.
	see example below.

	The second one being a insecure filemanager, the filemanager is hidden away in admin, the devs
	probarly thought no one would find it.. but here i am telling you  ;)  
	see more below.



[*] Blind SQL Injection:

	http://site.com/index.php?page=1 and 1=1
	http://site.com/index.php?page=1 and 1=2



[*] Arbitrary Remote File Manager Access:

	http://site.com/ezcms/admin/filemanager/



[*] NOTE/TIP: 

	no exploit coded for the blind injection, because no point due to you can get a easy shell
	through the file manager, althou if your curious, use SQLMap. (check sourceforge)

	the "File Manager" is a very easy to use bug, just browse to site.com/ezcms/admin/filemanager/
	site.com being the actual site and you can upload/edit/delete/upload/move  files/folders.



[*] GREETZ: 

	milw0rm.com, h4ck-y0u.org, CipherCrew !



[-] peace, 

	t0pP8uZz



-[*]+================================================================================+[*]-
-[*]+		       EZCMS <= 1.2 Multiple Remote Vulnerabilitys	             +[*]-
-[*]+================================================================================+[*]-

# milw0rm.com [2008-06-14]