60CycleCMS - 'news.php' Multiple vulnerability

vendor:

60CycleCMS

by:

Unkn0wn

7.5

CVSS

HIGH

SQL Injection and Cross Site-Scripting

CWE

Product Name: 60CycleCMS

Affected Version From: 2.5.2

Affected Version To: 2.5.2

Patch Exists: NO

Related CWE: N/A

CPE: 2.5.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu

2020

60CycleCMS – ‘news.php’ Multiple vulnerability

The 60CycleCMS application is vulnerable to SQL Injection and Cross Site-Scripting. In the file /common/lib.php, the function getCommentsLine() is vulnerable to SQL Injection. The news.php file is vulnerable to Cross Site-Scripting. An attacker can inject malicious payloads into the 'etsu' and 'ltsu' parameters of the index.php file.

Mitigation:

Input validation should be used to prevent SQL Injection and Cross Site-Scripting attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: 60CycleCMS  - 'news.php' Multiple vulnerability
# Google Dork: N/A
# Date: 2020-02-10
# Exploit Author: Unkn0wn
# Vendor Homepage: http://davidvg.com/
# Software Link: https://www.opensourcecms.com/60cyclecms
# Version: 2.5.2
# Tested on: Ubuntu
# CVE : N/A
---------------------------------------------------------

SQL Injection vulnerability:
----------------------------
in file /common/lib.php Line 64 -73
*
function getCommentsLine($title)
{
$title = addslashes($title);
$query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'";
// query MySQL server
$result=mysql_query($query) or die("MySQL Query fail: $query");
$numComments = mysql_num_rows($result);
$encTitle = urlencode($title);
return '<a href="post.php?post=' . $encTitle . '#comments" >' . $numComments . ' comments</a>';
}
lib.php line 44:
*
$query = "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `entry_id` ='$title' ORDER BY `timestamp` ASC";

*
*
news.php line 3:
*
require 'common/lib.php';
*
Then in line 15 return query us:
*
$query = "SELECT MAX(`timestamp`) FROM `entries
*

http://127.0.0.1/news.php?title=$postName[SQL Injection]
----------------------------
Cross Site-Scripting vulnerability:
File news.php in line: 136-138 :
*
$ltsu = $_GET["ltsu"];
$etsu = $_GET["etsu"];
$post = $_GET["post"];
*
get payload us and printEnerty.php file in line 26-27:
*
<? echo '<a class="navLink" href="index.php?etsu=' . $etsu . '">Older ></a>';
<? echo '<a class="navLink" href="index.php?ltsu=' . 0 . '">Oldest >>|</a>';
*

print it for us!
http://127.0.0.1/index.php?etsu=[XSS Payloads]
http://127.0.0.1/index.php?ltsu=[XSS Payloads]
----------------------------------------------------------
# Contact : 0x9a@tuta.io
# Visit: https://t.me/l314XK205E
# @ 2010 - 2020
# Underground Researcher