TutorialMS v1.4 (show) Remote SQL Injection Vulnerability

vendor:

TutorialMS

by:

Gjoko Krstic

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: TutorialMS

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: NO

Related CWE: N/A

CPE: a:tutorialms.com:tutorialms:1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows XP Professional SP3

2009

TutorialMS v1.4 (show) Remote SQL Injection Vulnerability

Input passed via the 'show' parameter to the 'includes/classes/tutorial.php' script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner.

Source

Exploit-DB raw data:

#################################################################################
#                                                                               #
#          TutorialMS v1.4 (show) Remote SQL Injection Vulnerability            #
#                                                                               #
#################################################################################
.                                                                               .
---------------------------------------------------------------------------------
|                                                                               |
| Vendor: TutorialMS.com                                                        |
| Product web page: http://www.tutorialms.com                                   |
| Affected version: 1.4                                                         |
|                                                                               |
| Summary: TutorialMS is a free content management system,                      |
| developed specifically for tutorial pages. It is written                      |
| in PHP and uses MySQL as a database. TutorialMS offers all                    |
| the usual features you need to build quick and easy your                      |
| own tutorial page, without great programming knowledge.                       |
|                                                                               |
| Desc: Input passed via the 'show' parameter to  the                           |
| 'includes/classes/tutorial.php' script is not properly                        |
| sanitised before being used in a SQL query. This can be                       |
| exploited to manipulate SQL queries by injecting arbitrary                    |
| SQL code.                                                                     |
|                                                                               |
| Tested on : Microsoft Windows XP Professional SP3 (EN)                        |
|             Apache 2.2.14 (Win32)                                             |
|             PHP 5.3.1                                                         |
|             MySQL 5.1.41                                                      |
|                                                                               |
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                         |
|                                                                               |
|                                                                               |
| Advisory ID: ZSL-2011-5007                                                    |
| Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5007.php  |
|                                                                               |
|                                                                               |
| 04.04.2011                                                                    |
|                                                                               |
|                                                                               |
---------------------------------------------------------------------------------


`````````````````````````````````````````````````````````````````````````````````
` PoC: ``````````````````````````````````````````````````````````````````````````
`      ``````````````````````````````````````````````````````````````````````````
``````````[*] http://192.168.10.64/tutorialms/tutorials.php?show=15 [SQLi]```````
`````````````````````````````````````````````````````````````````````````````````
`````````````````````````````````````````````````````````````````````````````````
`````````````````````````````````````````````````````````````````````````````````

 

                                                                  -o  
                                                                o   `o
                                                                '     
                                                                \_Q_/
                                                                  I
                                                                 /T\   
                                                                 \|/    
                                                             ____=0=____